Uhm...
how did you arrive at the tens of thousands of other Comodo
customers figure? I don't believe that Comodo has disclosed the
number of unique domain names served by certificates that it has
issued.
And since the number one reason for having a CA in the root list is
for Mozilla-software
On 29/12/08 09:47, Kyle Hamilton wrote:
Uhm...
how did you arrive at the tens of thousands of other Comodo
customers figure? I don't believe that Comodo has disclosed the
number of unique domain names served by certificates that it has
issued.
On 12/29/2008 09:41 AM, Grey Hodge:
Apparently, but that doesn't mean it's invalid. Mozilla can't act arbitrarily
and without cause and expect to retain any shred of respect or
trustworthiness.
Nobody suggested that I think. There is however real cause for concern.
Yes, perhaps, and
On 12/29/2008 07:40 AM, David E. Ross:
On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:
CertStar was found out, only due to the diligence of someone on this
list. How many other RAs haven't been found out yet? We can't know,
because Comodo won't say. This affects the confidence I have
On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said:
And since the number one reason for having a CA in the root list is
for Mozilla-software user security, how do you arrive at punish [...]
millions of users?
If all of Comodo's certs cease to be trusted, millions of web
On 12/29/2008 8:45 AM Eddy Nigg cranked up the brainbox and said:
Please do not add comments to that thread without relevance, thanks.
Excuse me, I've had enough or your arrogant attitude. I've seen the way you've
been treating people and I can name half a dozen off the top of my head you've
On 12/29/2008 10:23 PM, Grey Hodge:
Indeed, I am, as an educated guess. Comodo is a root CA. You don't get root
status by having a handful of customers.
The amount of customers never was a known criteria of CAs business
practices ever.
It's hard business to break into, and
Comodo has been
On 12/29/2008 12:23 PM, Grey Hodge wrote:
On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said:
And since the number one reason for having a CA in the root list is
for Mozilla-software user security, how do you arrive at punish [...]
millions of users?
If all of Comodo's
On 29.12.2008 07:59, Nelson B Bolyard wrote:
Perhaps the policy should even go so far, as Kai has suggested, as to
require that whatever entity performs the verification of subject
identity for the CA must be audited.
Yes. Not perhaps.
The verification is one of the two core operations of
On 12/29/2008 4:46 PM Eddy Nigg cranked up the brainbox and said:
The amount of customers never was a known criteria of CAs business
practices ever.
I also don't know how many Credit cards Bank of America issues, but I can
guess with reasonable accuracy.
Isn't the responsibility of a CA this
I would LOVE for Comodo to clean up its practices.
Including decertifying the CA that does not adhere to financial
levels of control that is certified by a CA that does.
-Kyle H
On Mon, Dec 29, 2008 at 5:44 PM, Grey Hodge g...@burntelectrons.org wrote:
On 12/29/2008 4:46 PM Eddy Nigg cranked
On 12/30/2008 03:44 AM, Grey Hodge:
Considering the KNOWN size of the breach, a maximum of 111 certs, less than
ten percent of which could not be verified in 2 days, only 2 of which were
confirmed to be fraudulent (both your attempts), I don't think this requires a
revocation. If we /can/
On 28/12/08 12:13, Kai Engert wrote:
If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.
Yes, we could! But this is what we call a blunt weapon. It is also a
dangerous weapon. Consider (all) the consequences in
On 12/28/2008 02:46 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we
(following is just for the record so as to deal with the response. No
new info is in here for other readers.)
On 28/12/08 14:21, Eddy Nigg wrote:
On 12/28/2008 02:46 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All
On 12/28/2008 04:24 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we
On 28/12/08 15:42, Eddy Nigg wrote:
On 12/28/2008 04:24 PM, Ian G:
I was clearly replying to the later part:
The CA will lose; potentially it will lose its revenue stream, or have
it sliced in half (say), which is what we would call in business circles
a plausible bankrupcy event.
It's not
On 12/28/2008 4:46 AM, Ian G wrote [in part]:
On 28/12/08 12:13, Kai Engert wrote:
If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.
Yes, we could! But this is what we call a blunt weapon. It is also a
On Sun, Dec 28, 2008 at 6:24 AM, Ian G i...@iang.org wrote:
(following is just for the record so as to deal with the response. No new
info is in here for other readers.)
I would very much appreciate it if you would stop using fear,
uncertainty, and doubt to manipulate the audience into
On Sun, Dec 28, 2008 at 9:28 AM, Ian G i...@iang.org wrote:
On 28/12/08 17:06, David E. Ross wrote:
How about the users of Mozilla products who might lose money or even go
bankrupt because they trusted a root certificate from such a CA? No,
such losses are not known (yet). What did happen,
On 29/12/08 00:37, Kyle Hamilton wrote:
On Sun, Dec 28, 2008 at 9:28 AM, Ian Gi...@iang.org wrote:
On 28/12/08 17:06, David E. Ross wrote:
How about the users of Mozilla products who might lose money or even go
bankrupt because they trusted a root certificate from such a CA? No,
such losses
On Sun, Dec 28, 2008 at 3:42 PM, Ian G i...@iang.org wrote:
On 29/12/08 00:37, Kyle Hamilton wrote:
Considering that trustability is viewed as a binary state, it's the
only weapon that Mozilla has.
Yes. This is reason for concern.
FWIW, I agree.
Alright, I propose that, in a new thread,
On 29/12/08 00:36, Kyle Hamilton wrote:
On Sun, Dec 28, 2008 at 6:24 AM, Ian Gi...@iang.org wrote:
Unlike you, Eddy actually runs a certifying authority. This means
that he has operational experience with not only the technical sides
of things, but also the legal sides of things.
I
On 12/29/2008 03:09 AM, Ian G:
The point I have made is that the discussion of Comodo's operations is
outside scope of this forum. You may feel that you have an opinion, and
you have a right to it. However, this forum is not for the investigation
of breaches or failures to comply with policies.
On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:
CertStar was found out, only due to the diligence of someone on this
list. How many other RAs haven't been found out yet? We can't know,
because Comodo won't say. This affects the confidence I have in their
system (i.e., it removes ALL
David E. Ross wrote, On 2008-12-28 21:40 PST:
Now that it is known that a subordinate reseller operating under one CA
issued certificates without authenticating the identity of the
subscribers, we know that the theoretical concern expressed (before all
this) about resellers is no longer
On 12/28/2008 9:42 AM Eddy Nigg cranked up the brainbox and said:
On 12/28/2008 04:24 PM, Ian G:
No, I'm afraid there is an agreement to list the root, under a policy.
Once listed, Mozilla has to operate according to its side of the bargain.
Apparently you are reading something I haven't.
27 matches
Mail list logo
