On 28/12/08 15:42, Eddy Nigg wrote:
On 12/28/2008 04:24 PM, Ian G:
I was clearly replying to the later part:
The CA will lose; potentially it will lose its revenue stream, or have
it sliced in half (say), which is what we would call in business circles
a plausible bankrupcy event.
It's not relevant.
Well, that part may not be a loss that effects a security discussion.
But I've made the point before that economic interests are much more
important and may be dominant. See below the discussion of lawyers.
So perhaps you won't mind if I keep bringing them up. We might simply
disagree as to their practical relevance to the real world discussion.
No, I'm afraid there is an agreement to list the root, under a policy.
Once listed, Mozilla has to operate according to its side of the bargain.
Apparently you are reading something I haven't.
Statements (policy, etc) plus actions gives rise to an agreement. The
agreement doesn't have to be written in one document to exist, it can
exist without anything to read, or with many things to read.
The problem being, that even if it reserves the right to make a choice
for any reason, this does not give Mozilla carte blanche.
Mozilla can make a bad decision, no doubt. This case is most likely not
one of those you are referring to.
Well, who is going to warrant that for Mozilla?
Please read it carefully. a root being dropped by a BAD decision.
A root isn't removed before careful considerations. A bad decision
doesn't warrant not to remove any roots at all if necessary. Mozilla can
also reinstate a root.
If in court, we can be sure that the CA will argue that the decision is
bad. The judge will bend over backwards to let the CA make that case;
that's what the court is there for.
(This then turns on who has the burden, and what question has to be
answered. Er, now we need the lawyers.)
What I'm about here is that: in any wider business analysis, the answer
is that, short of total collapse, do not remove the root. And if there
is total collapse, you will be wrong regardless, so it doesn't really
matter what you do.
I am not saying I *like* it. In fact, I don't like it.
I'm saying the tool is bankrupt. Think of other tools, this one will
not work for you.
Let me put it another way: one phone call from the CA's lawyer to
Mozo's lawyer is probably sufficient to solve this problem *for the CA*.
Ask yourself whether you have a lawyer. Ask your lawyer whether he can
make the phone call. Ask your lawyer how the phone call will go (he
doesn't need to make it).
Let us know what he says, for the education of us all.
They stated how many, IIRC. I recall it was something like 111 certs
issued and 11 outstanding that had not been re-verified within around 48
hours (these numbers are not accurate, but indicative) and were
therefore revoked.
That's for the specific certstar case. Domain validation isn't performed
by Comodo on a wide scale apparently and perhaps no validation is
performed at all.
Oh, that's a new claim, beyond this reseller.
Is there any evidence? If so, then maybe there should likely be a new
investigation, and widespread revocations by the CA of the non-verified
certs. OK, as discussed earlier, actual investigations are outside
scope of here (which begs the important question of where it is in scope
of!) so let's not speculate further on Comodo's exact position.
Back to the damages estimate: we still need to form an estimate of how
many certificates were issued to people of malintent.
Without that, we are still left with a damages estimate of zero, albeit
one multiplied by a much larger number of users, with a much greater
range of possible error.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
