Would it be an option to remove the trust bits on the root first and then later on remove it from the store entirely?
While I agree that action is warranted my concern is that the consequence of any action taken will be borne out by the customers of this CA and their users. We are essentially saying any of those web sites will, at best, get a cert warning. Some users of course will be able to add an exception. If the site happened to use HSTS, though, there is no recourse and so Mozilla will have created a DoS situation against those sites. Along these lines, does Mozilla have any resources at its disposal to help get the word out that this action is in the works? I'm sure web site owners would appreciate having a chance to acquire new certs before their sites go black. Original Message From: Kathleen Wilson Sent: Thursday, March 19, 2015 1:31 PM To: [email protected] Subject: Re: Propose Removal of E-Guven root On 3/18/15 12:40 PM, Kathleen Wilson wrote: > All, > > I propose removing the following root cert from NSS, due to inadequate > audit statements. > > Issuer: > CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi > O = Elektronik Bilgi Guvenligi A.S. > C = TR > > SHA-1 Fingerprint: > DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34 > I have filed the bug for the corresponding code changes: https://bugzilla.mozilla.org/show_bug.cgi?id=1145270 Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
