Hello, Am 04/10/2014 04:28 PM, schrieb Rob Stradling: > The Mozilla CA Certificate Maintenance Policy (Version 2.2) [1] says > (emphasis mine): > > "CAs _must revoke_ Certificates that they have issued upon the > occurrence of any of the following events: > ... > - the CA obtains _reasonable evidence_ that the subscriber’s private > key (corresponding to the public key in the certificate) has been > compromised or is _suspected of compromise_ (e.g. Debian weak keys)" > > I think that's pretty clear!
Yes. It is. I requested the revocation of two StartSSL certificates due to CVE-2014-0160 more than two weeks ago. The revocation has not happened, probably due lack of payment methods I provided so far. IMHO: This violates mozillas polices (as quoted). I think, there is an urgent need for a public statement from mozilla: Being either: -> An explanation, why StartSSL is still in the trust store although violating or mozilla's policies. OR -> An explanation, that StartSSL is removed. This statement is urgently needed - imho. Thanks, Jan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
