On Monday, June 19, 2017 at 11:40:22 PM UTC-5, Tom Ritter wrote: > So at what point does the CA become culpable to misissuance in a case > like this? Is it okay that we let them turn a blind eye to issuing or > reissuing certificates where they have a strong reason to believe the > private key will be published in firmware?
Pretty much any DV validated certificate could be used the way Cisco's software used this one... Unless we want to create new burdens for every DV validating CA out there, I don't think it's practical to pre-suppose that a similar certificate will get similar misuse. The right balance is probably revoking when misuse is shown. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
