Re: dropping the root is useless
On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said: And since the number one reason for having a CA in the root list is for Mozilla-software user security, how do you arrive at punish [...] millions of users? If all of Comodo's certs cease to be trusted, millions of web surfers will see errors on potentially thousands of sites. This leads me to believe that there are three possibilities: 1) You have communication from Robin about the number of certificates that Comodo has issued that the rest of us are not privy to, OR 2) You have some way of knowing what CAs are in use by the servers that users of the Mozilla applications use (which concept rather scares me, since it hasn't been disclosed as part of the software operations), OR The fact you think these are even reasonably conclusions tells me a lot about your reasoning skills. 3) You're pulling numbers out of thin air. Indeed, I am, as an educated guess. Comodo is a root CA. You don't get root status by having a handful of customers. It's hard business to break into, and Comodo has been around a while. I find it hard to believe a company of their size and age has any fewer than ten thousand certs out there, and that's a lowball guess. There are many hundreds of millions of web users, and millions of websites. Do you really find it hard to believe at least 1% of those secure sites might be using a Comodo cert? -- Grey Hodge email [ grey @ burntelectrons.org ] web [ http://burntelectrons.org ] tag [ Don't touch that! You might mutate your fingers! ] motto [ Make everything as simple as possible, but no simpler. - Einstein ] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: dropping the root is useless
On 12/29/2008 8:45 AM Eddy Nigg cranked up the brainbox and said: Please do not add comments to that thread without relevance, thanks. Excuse me, I've had enough or your arrogant attitude. I've seen the way you've been treating people and I can name half a dozen off the top of my head you've been rude to. Knock it off, you're not in any position to tell anyone where to post and not to post. Further, I've been following the threads for a while now, thank you very much. I'll thank you to treat people with more respect or kindly shove off. You did a good deed unveiling Certstar, don't blow that good will with obnoxiousness. -- Grey Hodge email [ grey @ burntelectrons.org ] web [ http://burntelectrons.org ] tag [ Don't touch that! You might mutate your fingers! ] motto [ Make everything as simple as possible, but no simpler. - Einstein ] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: dropping the root is useless
On 12/29/2008 4:46 PM Eddy Nigg cranked up the brainbox and said: The amount of customers never was a known criteria of CAs business practices ever. I also don't know how many Credit cards Bank of America issues, but I can guess with reasonable accuracy. Isn't the responsibility of a CA this size much greater and breach of trust going to affect many? Is a breach of trust justified and acceptable because of the size of a CA or shouldn't that CA provide extra care? Considering the KNOWN size of the breach, a maximum of 111 certs, less than ten percent of which could not be verified in 2 days, only 2 of which were confirmed to be fraudulent (both your attempts), I don't think this requires a revocation. If we /can/ resolve this issue without revoking, why shouldn't we? (For your knowledge, Netcraft confirms There's a reason netcraftconfirmsit is a tag on Slashdot, and it's not because Netcraft is a bastion of statistical rigor. My point still stands. Revoking Comodo certs would be a needlessly messy and painful endeavour, and should be avoided if the situation can be resolved elsewise. So far, I have no reason to believe Comodo can't tighten up their practices without nuking millions of web surfers. -- Grey Hodge email [ grey @ burntelectrons.org ] web [ http://burntelectrons.org ] tag [ Don't touch that! You might mutate your fingers! ] motto [ Make everything as simple as possible, but no simpler. - Einstein ] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: dropping the root is useless
On 12/28/2008 9:42 AM Eddy Nigg cranked up the brainbox and said: On 12/28/2008 04:24 PM, Ian G: No, I'm afraid there is an agreement to list the root, under a policy. Once listed, Mozilla has to operate according to its side of the bargain. Apparently you are reading something I haven't. Apparently, but that doesn't mean it's invalid. Mozilla can't act arbitrarily and without cause and expect to retain any shred of respect or trustworthiness. A policy not adhered to is worthless. That's for the specific certstar case. Domain validation isn't performed by Comodo on a wide scale apparently and perhaps no validation is performed at all. Yes, perhaps, and perhaps they send out certs to anyone who asks nicely, but we have little evidence to support these suppositions. Rather than having a kneejerk reaction of removing Comodo from the root list, why don't we examine the situation. This reseller was not acting according to proper procedure. Comodo immediately revoked their reseller status, and reviewed their certs. Further, they've said they're reviewing their policies to ensure this doesn't happen again. Given their candor and quick response, what more do you require that you feel you're not getting that justified removing them as a root CA? I really think you're going overboard. Form what I see, I'm not alone in that assessment. You did a good job in bringing this to light. Having the issues you uncovered addressed and fixed should be sufficient. Why do we need to take punitive action that will do nothing but punish tens of thousands of other Comodo customers and millions of users? -- Grey Hodge email [ grey @ burntelectrons.org ] web [ http://burntelectrons.org ] tag [ Don't touch that! You might mutate your fingers! ] motto [ Make everything as simple as possible, but no simpler. - Einstein ] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto