Ka-Ping Yee wrote:
I wish CAs believed that were the case! I think some of the skepticism you are encountering in this discussion is skepticism that Verisign and other CAs will actually feel any pressure. Right now, they have most of the power and Mozilla has very little, because Verisign has a monopoly and Mozilla does not. If Mozilla removed Verisign from its root CA list, its users would probably switch to IE.
I completely agree. And that's why EV is so good - we could disable the EV-ness of their certificates without breaking the web by removing the root entirely.
When Verisign issues a bogus certificate -- as it has in several cases --
Do you have a list, with references? I know about the MS code-signing certs, but no other cases.
acceptable certificate. This would encourage websites to get certificates from many CAs, hoping to meet the standards set by the users.
Do you think there's any chance of making this happen? I can't see it... Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
