On Sat, Aug 09, 2014 at 11:52:16PM -0700, Ryan Sleevi wrote: > At the risk of engaging what may be trolling behaviour (non-attributable > email addresses and all that good jazz), and while a point-by-point > takedown is not particularly worthy, the author makes a number of > demonstrably false or misleading claims. > > 1) That the issuance of certs increases the likelihood of CA compromise. > Evidence demonstrates the opposite, but either way, they're orthogonal > issues entirely. Having more certificates issued does not directly make it > more likely for a CA (like DigiNotar) to be breached.
I'm curious to know what evidence you think demonstrates that issuing more certificates *reduces* the risk of CA compromise. I would say they *are* orthogonal issues, but you can't have it both ways -- they're meta-orthogonal (as it were). I will say that having more certificates issued appears to at least be a factor in determining whether or not you get de-trusted as a result of a breach. While the difference in behaviour between Comodo and DigiNotar in response to their respective breaches no doubt played a part in the different outcomes, there was a *lot* of hand-wringing about how many end-users would be adversely impacted by de-trusting Comodo roots, indicating it was a factor in the decision-making process. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
