On 12/23/2008 09:15 PM, Hendrik Weimer:
Frank Hecker<hec...@mozillafoundation.org> writes:
My intent is to balance the disruption that would be caused by pulling
a root vs. the actual security threat to users. Right now we have no
real idea as to the extent of the problem (e.g., how many certs might
have been issued without proper validation, how many of those were
issued to malicious actors, etc.).
Isn't that, by itself, a very good reason to take immediate action?
Security should be default-fail rather than default-pass.
It should be. I realized that there are more points which will have to
be addressed in due time at Mozilla, which however can wait for now.
Concerning the disruption, Comodo has many roots and the resetting of
this specific root would affect low-assurance sites as far as I know.
The higher validated sites would not be affected. Having said that, the
roots of their low-assurance products have been previously of concern it
must be looked at in the broader context of Comodo's operations. It's
not surprising in itself.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
