Jan Schejbal: > I did (now completely), but most of it seems to be a discussion about > CAs (not) revoking keys. As I understand it, if the CA does use only a > normal CRL (and not OCSP), firefox won't care. At least the > proof-of-concept attack on the akamai key still worked.
Yes, as indicated CRL fetching is in the works. >> Wild cards go as well with the exceptions. > > I did not find a way to do this, can you tell me where to look? Nope, I'm mistaken. I thought it would work, but it doesn't. > First, I would like to make clear that I am quite sure that no CA would > create a fake cert just because an intelligence agency simply asked to > do so. Thank you :-) > But I assume(d), that if a powerful intelligence agency wants to > achive something like this, they will find a way (for example by > threatening an employee or simply faking identification documents, or > just intercepting the verification e-mail that is probably transfered > via unsecured SMTP). Oh well, any relevant ISP can do that, it doesn't have to be the FBI, CIA, MI5 or the Mossad. Obviously that has nothing to do with the country of origin (as you indicated in the previous post about Chinese CAs - or Israeli for that matter). The argument itself isn't really valid I think. But also needless to say that this would be a criminal offense which could be persecuted accordingly. I just picked the mossad because I considered it > the most powerful and capable agency, and the Startcom CA as I assumed > that it would be the easiest thing for the mossad to do it in its own > country. If something like that happened, it would not be the fault of > the CA, I don't think there is anything the CA can do against this. Except secure SMTP connections and additional flagging and verifications, which StartCom does even in the Class 1 (domain validated) settings. It's certainly not 100% foolproof, but the best it can get. > (actually I might get my cert from Startcom as soon as I need one). Be my guest... > About the Verisign thing: In the USA, the new counter-terrorism > regulations (some of which seem to be secret) could force a CA to > cooperate, but I will gladly accept the opinion of someone who has more > experience than me. I can't answer for them obviously... > That might be the main reason why not to worry too much about the > scenario. But it was just an example, other failure situations are > possible, so I think a "lock in" feature would be useful for advanced > users anyway. (AFAIK the only reason why the CAcert root certificate was > not broken because of the debian problem is that it was generated before > the error was introduced). A compromised root is an entirely different story! But they aren't in NSS so we don't have to worry about that. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
