Oops, should've replied all. On 5/11/05, Peter Gutmann <[EMAIL PROTECTED]> wrote: > Ram A Moskovitz <[EMAIL PROTECTED]> writes:
> >Why can't revocation be used to prevent further distribution of dangeriously > >flawed software as well as malicious software? How about disabling the use of > >the software? > > How will you know which plugin(s) to disable? How will you prevent yourself > from being sued by the creators of the plugin(s), who haven't violated the > CA's TOS and therefore have no basis for having their plugins revoked? Why are the CA's ToS (policy really) not relevant in the case of a public CA? Public CAs can compete on a numbef of attributes including policy. Some CAs have a policy that says revocation is not necessary. Other's say identity verification is not important. Some CAs will revoke software publisher certificates if they publish deceptive software, that includes VeriSign's public CAs. Why is a private-purposed CA's policy not relevant to revocation policy? Private CAs are operated under a customer (or industry standard) policy. That policy can define the test or tests for revocation or avoid the question and specify a judge or define both. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
