On 14/02/12 21:40 PM, Ralph Holz wrote:
Ian,
Actually, we thought about asking Mozilla directly and in public: how
many such CAs are known to them?
It appears their thoughts were "none."
Of course there have been many claims in the past. But the Mozilla CA
desk is frequently surrounded by buzzing small black helicopters so it
all becomes noise.
I'd have thought that some would have
disclosed themselves to Mozilla after the communication of the past few
weeks. Your mail makes it seem as if that was not the case, or not to a
satisfying degree.
Sigh. One of the things that went very wrong with Mozilla is that the
CAs started private non-disclosable discussions. Of course, this led to
a lot of manipulation, and basically we have no idea what things have
happened behind the covers. It's now the case that the open forum has
very little influence and CAs in private & confidential conversations
have most or practically all of the influence.
So even if they have disclosed it in the last few weeks, we are likely
never to know. Which means that Mozilla's decision will be announced in
a vacuum. Nobody will be happy.
Which makes me support Marsh Ray's one-strike
proposal even more strongly: issuing a death sentence to a CA who has
disclosed is counter-productive. It will drive the others deeper into
hiding.
You kno, I can't help but think of the resemblance to the real world
death penalty for humans - AFAICT it does not seem to deter criminals.
The only real power Mozilla has is to strike them off the root list.
It's only been done when the decision was easy for other reasons.
I agree that this is the most interesting and challenging thing to hit
Mozilla in a while. Coz of the whole trust and reliance thing; users
put a lot of their trust in Mozilla.
iang
Ralph
On 02/14/2012 03:31 AM, ianG wrote:
Hi all,
Kathleen at Mozilla has reported that she is having trouble dealing with
Trustwave question because she doesn't know how many other CAs have
issued sub-roots that do MITMs.
Zero, one, a few or many?
I've sent a private email out to those who might have had some direct
exposure. If there are any others that might have some info, feel free
to provide evidence to kwil...@mozilla.com or to me if you want it
suitably anonymised.
If possible, the name of the CA, and the approximate circumstance. Also
how convinced you are that it was a cert issued without the knowledge of
the owner. Or any information really...
Obviously we all want to know who and how many ... but right now is not
the time to repeat demands for full disclosure. Right now, vendors need
to decide whether they are dropping CAs or not.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
