One can certainly "applaud the fact they are discussing this publicly" - but - what they have done is totally a no no (would sound like a no brainer if you ask me) no matter how much subsequent damage control you do.
Wrt Mozilla, I strongly feel there is very little point in waiting for any resolution there. After all (and on the MITM note), they *still* ship CNNIC certificate with no intention of removing it, apparently. https://bugzilla.mozilla.org/show_bug.cgi?id=542689 > How do you feel about the sneaky nature of the apparently multiple Verisign > compromise disclosures, and the subsequent lack of public discussion - > should we also remove their CAs? That, CNNIC, Comodo and probably bunch of others. Will not fix the real issue though - the entire trusted CA model design is broken as it is. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
