[144437] in cryptography@c2.net mail archive
Re: Has any public CA ever had their certificate revoked?
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Fri May 8 13:18:05 2009
In-Reply-To: <200905081602.n48G2Ii4009624@home.unipay.nl>
Date: Fri, 8 May 2009 09:08:03 -0700
To: ray@unipay.nl
From: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: pgut001@cs.auckland.ac.nz, dan@geer.org, thierry.moreau@connotech.com,
cryptography@metzdowd.com
At 6:02 PM +0200 5/8/09, R. Hirschfeld wrote:
> > Date: Tue, 5 May 2009 10:17:00 -0700
>> From: Paul Hoffman <paul.hoffman@vpnc.org>
>
> > the CA fixed the problem and researched all related problems that it
>> could find.
>
>>From what I've read of the incident (I think it's the one referred
>to), Comodo revoked the bogus mozilla.com cert and got their reseller
>Certstar (who issued it) to start performing validation.
Correct.
>Security
>common sense might suggest that they validate all certs previously
>issued by Certstar and check the validation procedures of their other
>resellers. Do you know whether they did so?
Comodo publicly said they did. That's why I said "researched all related problems that it could find".
>The former seems a major
>undertaking and commercially delicate.
And yet they appear to have done it.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
