Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Paul Hoffman
At 6:44 PM -0400 5/5/09, Jerry Leichter wrote: >On May 5, 2009, at 1:17 PM, Paul Hoffman wrote: >>...This leads to the question: if a CA in a trust anchor pile does something >>wrong (terribly wrong, in this case) and fixes it, should they be punished? >>If you say "yes", you should be ready to a

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Jerry Leichter
On May 5, 2009, at 1:17 PM, Paul Hoffman wrote: ...This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this case) and fixes it, should they be punished? If you say "yes", you should be ready to answer "who will benefit from the punishment" and

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Anne & Lynn Wheeler
On 05/05/09 14:01, Thierry Moreau wrote: Before the collapse of the .com market in year 2000, there were grandiose views of "global PKIs," even with support by digital signature laws. Actually, it turned out that CA liability avoidance was the golden rule at the law and business model abstractio

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Thierry Moreau
Paul Hoffman wrote: At 4:11 PM +1200 5/5/09, Peter Gutmann wrote: Thierry Moreau writes: Now that the main question is answered, there are sub-questions to be asked: 1. Has any public CA ever encountered a situation where a revocation would have been necessary? Yes, several times, see

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Paul Hoffman
At 4:11 PM +1200 5/5/09, Peter Gutmann wrote: >Thierry Moreau writes: > >>Now that the main question is answered, there are sub-questions to be asked: >> >>1. Has any public CA ever encountered a situation where a revocation would >>have been necessary? > >Yes, several times, see e.g. the recent m

Re: [tahoe-dev] SHA-1 broken!

2009-05-05 Thread Perry E. Metzger
lance james writes: > stupid question - does this effect IPSec realistically as well? IPSec and IPSec related protocols like IKE use SHA-1 in various places. Whether those actually could be attacked using the known weaknesses in SHA-1 would require detailed examination of the individual protocol

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Peter Gutmann
Thierry Moreau writes: >Now that the main question is answered, there are sub-questions to be asked: > >1. Has any public CA ever encountered a situation where a revocation would >have been necessary? Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of which nothing happen

Re: Has any public CA ever had their certificate revoked?

2009-05-05 Thread Thierry Moreau
d...@geer.org wrote: No, [...] Now that the main question is answered, there are sub-questions to be asked: 1. Has any public CA ever encountered a situation where a revocation would have been necessary? 1.1 Has any public CA ever had a disgrunted employee with too many privileges not r