Robert Sayre wrote:
I agree, that would be pretty stupid. Fortunately, that is not what I'm suggesting. The CA in question would of course give the companies new ones, no charge. Of course, it might be an indication they should take there business elsewhere.
But if the CA did not additional vetting of those 10,000 companies, then the new certs would be identical to the old.
I don't see why we should tell our users to trust EV certs that were issued by a CA with inadequate procedures in place at the time the cert was issued. Do you?
It depends what the failure was. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
