On 12/28/2008 9:42 AM Eddy Nigg cranked up the brainbox and said: > On 12/28/2008 04:24 PM, Ian G: >> No, I'm afraid there is an agreement to list the root, under a policy. >> Once listed, Mozilla has to operate according to its side of the bargain. > Apparently you are reading something I haven't.
Apparently, but that doesn't mean it's invalid. Mozilla can't act arbitrarily and without cause and expect to retain any shred of respect or trustworthiness. A policy not adhered to is worthless. > That's for the specific certstar case. Domain validation isn't performed > by Comodo on a wide scale apparently and perhaps no validation is > performed at all. Yes, perhaps, and perhaps they send out certs to anyone who asks nicely, but we have little evidence to support these suppositions. Rather than having a kneejerk reaction of removing Comodo from the root list, why don't we examine the situation. This reseller was not acting according to proper procedure. Comodo immediately revoked their reseller status, and reviewed their certs. Further, they've said they're reviewing their policies to ensure this doesn't happen again. Given their candor and quick response, what more do you require that you feel you're not getting that justified removing them as a root CA? I really think you're going overboard. Form what I see, I'm not alone in that assessment. You did a good job in bringing this to light. Having the issues you uncovered addressed and fixed should be sufficient. Why do we need to take punitive action that will do nothing but punish tens of thousands of other Comodo customers and millions of users? -- Grey Hodge email [ grey @ burntelectrons.org ] web [ http://burntelectrons.org ] tag [ Don't touch that! You might mutate your fingers! ] motto [ Make everything as simple as possible, but no simpler. - Einstein ] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto