On 18/04/14 05:32 AM, [email protected] wrote: > Would it be feasible for Mozilla to maintain a CRL-like that sidesteps the > need for the CA to revoke a cert? > > This way if a CA is behaving badly the certificate still gets invalidated.
I think it would be a lot saner to simply stop showing a shiny green lock for a CA violating the policy. This way, sites will continue to work for users and there will be no loss of security. However, Firefox won't be giving users a false sense of security. Mozilla has all the cards in their hands here.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
