On 2/18/12 11:30 PM, Jan Schejbal wrote:
Am 2012-02-19 02:46, schrieb Stephen Schultze:
Brian, any thoughts on this? Is this something we should be holding out
for, or should we look to other approaches?
A different interesting approach for a punishment could be removal of
the ability to create Sub-CAs. This would not put a CA out of business
like other solutions, but hurt it and most importantly, remove an
extremely risky ability.
This could probably be done by removing the root and adding a new,
modified cert that has a length constraint (possibly adding all
still-allowed CA-owned sub-CAs if they issued Sub-CAs directly from
their root).
Yes, but it would also break all existing certs issued by that CA that
are in the wild, which is one of the reasons that Mozilla has been so
resistant to removing roots in the first place.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
