Nelson B Bolyard wrote: > Agreed, and part of the discussion here is: is it acceptable to Mozilla > to continue to "trust" certs from CAs who don't revoke timely in the > presence of evidence? I hope not. Such CAs provide only "security > theater", IMO.
Yupp. > Actually, I think most of them already ARE more strident about this than > I am. There is already HUGE distrust of CAs among the Mozilla community, > especially developers. For a decade now there have been ongoing calls > for Mozilla to ship a browser with an empty trusted CA list. There are > STILL calls for removing Verisign certs from the trust list because of the > issuance of some bogus Microsoft certs some years ago. The number one > impediment to the acceptance of EV by the Mozilla community was that it > was initially promoted by the very CA they most despised. Nelson, thanks for these clear words. > CAs can use this as an opportunity to say "Users of PKI with our certs > don't need to carry around 3MB Key revocation lists. They don't need new > software. They just use the OCSP revocation that is already built in to FF3 > and IE7, and they're covered, because the CAs will do a competent job of > revocation for them." That's real value that any Debian user can see. Yes! To CA staff lurking here: Prove your trustability now to save your own business! Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
