Robert Sayre wrote:
Gervase Markham wrote:
Robert Sayre wrote:
That is a good idea. Perhaps the policy should be to revoke 10,000
individual certificates issued immediately before and after a
known-bogus one. The sites in question will have plenty of warning,
thanks to our open process, and it will bite the CA in the pocket book.
Right - so we punish 10,000 random companies by making them buy new
certs, because they happened to buy their original ones from the wrong
CA? That would make us very popular.
I agree, that would be pretty stupid. Fortunately, that is not what I'm
suggesting. The CA in question would of course give the companies new
ones, no charge. Of course, it might be an indication they should take
there business elsewhere.
er, "their", even.
I don't see why we should tell our users to trust EV certs that were
issued by a CA with inadequate procedures in place at the time the cert
was issued. Do you?
So, the companies are not chosen at random. They underwent the same
inadequate validation procedure as the criminals adjacent to them.
-Rob
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
