Perhaps you meant that you find reason to doubt my statement and so I would like to understand why you think MF would hesitate to remove a CA that is known to be intentionally acting maliciously.
For the record, I have stated (multiple times) that I think having "bad" CAs in the root CA list should be treated like any other security vulnerability, including creating and generating a security fix release if necessary and appropriate. The policy provides for removal of CAs (as opposed to just adding them) for exactly that reason.
What may be confusing the issue is that I have also stated that I don't have time right now to go through the list of existing CAs and (re)evaluate them. This is indeed true. However a problem were to develop involving an existing CA then someone (anyone) could file a security bug on it and the Mozilla security group would then look at that and decide if a patch to remove the CA's cert(s) were warranted.
On the revocation issue, I would certainly consider modifying the policy to require that CAs maintain some sort of revocation service, whether based on OSCP or regularly-updated CRLs. To my knowledge all the CAs who've applied for inclusion do this (most using CRLs, a very few using OCSP), it seems to me part of the normal function of being a CA, and given that, it's arguably a good idea for the policy to require CAs provide revocation services in anticipation of revocation checking being turned on in future.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
