They have no incentive to do so, and even if they did, they'd be ignored. People widely ignore the fact that when Verisign says "trusted" it means one thing, and when Comodo says "trusted" it means another thing. Until this is fixed, there is no point in (b) so we see what we see - a race to be the one who sells the most control-of-domain certs.
This is rational behaviour on the part of CAs, and is totally the browser's doing.
Indeed. But the CAs mostly don't like it, and I hope we're going to be able to fix the browser to remove the incentive for this behaviour.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
