Very little of this has happened historically because the existing CAs now in mozilla's list have been very very good at not issuing "duff" certs. As evidence of this truth, I offer the HUGE amount of press (not to mention postings in this group) that a *single* duff cert incident got a few years ago. The press held that CA up to high standards precisely because that CA already had a reputation for doing a good job of avoiding "duff" certs.
Indeed - I agree that the sky is definitely not falling. However, this happening was the starting point for the scenario under discussion, so that's why I started with it.
However, mozilla is now considering changing its standards for admission to mozilla's trusted CA list. I think there is substantial risk of increased "duff" certs (especially SSL certs) from this plan.
I share your concern; we need to be very careful about what the policy says. I applaud your work in this area.
- The MF decides, pragmatically, that CA Foo has sold too many certs to yank their root cert, due to user inconvenience.
This says to me that MF needs to hold a high standard before admitting certs to the list, because it's too difficult to take them out later.
Absolutely.
- The MF instead declares that CA Foo's root cert will be yanked in 6 months, unless they clean up their act, and that sites should not rely on CA Foo's certs working in 15% of browsers 12 months from now.
MF might declare that, but I doubt it would ever enact the threat. Doing so would only hurt mozilla.
Well, it would depend on whether the CA cleaned up their act, and whether people migrated away from their certs. Absolutely, it's a game of chicken.
I'm not saying it's a good solution to CA cert removal, but I'm hard pressed to think of a better one. You are right - removing CA certs is very, very hard.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
