Kyle, did you really just post that? If you're arguing that soft-fail OCSP isn't good enough then we are all in agreement.
Someone in Iran *wanted* to use the certificates (from 2011) for www.google.com and mail.google.com, but due to coordinated efforts by Comodo and Mozilla and Microsoft (and Google and Opera and Apple and ...) those certificates were blacklisted by the browsers so they could not be relied upon by clients. I think everyone involved in those efforts by the bowsers would have liked very much to have had hard-fail revocation checks to rely on (for this incident, anyway) - but they didn't have it so they felt they needed to blacklist instead. Before the blacklists were in place we had revoked the certificates and were able to monitor OCSP traffic for them both before and after the blacklists were in place. We saw no sign whatsoever (that's none - not even a little bit) of OCSP traffic for those certificates from Iran, and none from anywhere else other than a handful of hits from security researchers. Compare this with Diginotar's analysis of their OCSP traffic. The statements in your final paragraph concerning a supposed certificate for *.google.com issued by Comodo are ludicrous. We have good evidence that the certificates for www.google.com and mail.google.com were not used on the internet. I do not know what you are talking about when you refer to botched revocation handling between Mozilla and Microsoft. Perhaps you could be specific so that the parties you impune can respond. (I'm not even quite sure who you're aiming at). The 'assassination of dissidents' and 'active loss of life' as a result of this incident are figments of your imagination - unless you have evidence to present to back up your allegation. Regards Robin Alden Comodo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/310999 Title: comodo seen issuing certificates unwisely To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/310999/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
