(please send follow-ups to mozilla.dev.tech.crypto)
Brian has in the past discussed proposed updates to NSS that would allow
us to penalize bad CA behavior by removing trust of all certs from a
given CA that were issued after a given date (or even for X amount of
time after a given date). The theory is that this would allow real
penalties and user protection for bad CA behavior without breaking the
internet.
From a moz.dev.sec.policy perspective, this would be a nice tool to
have in our belt. However, if we're not going to have it in the
relative near term, we need to be taking other policy steps.
I've tried to track down Brian's past discussions of this, to no avail.
I believe that he talked about it at our panel at USENIX Security last
year, but all of the video/audio links from that event seem to be
crapping out:
http://static.usenix.org/events/sec11/
Brian, any thoughts on this? Is this something we should be holding out
for, or should we look to other approaches?
Steve
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto