© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
1. I don't think the common user is going to be sufficiently cognizant of the issues surrounding whether a particular certificate should be trusted or not; Firefox users are implicitly trusting Mozilla to perform vetting of certification authorities. The buck is stopping at the browser.
2. Any breach such as that demonstrated in this case warrants investigation all the way up the chain to determine why the failure was not caught. Who failed to perform due diligence? What other vulnerabilities might exist, based on the cause of the current failure?
3. Trust in a certificate affects every link all the way up in the chain to the root issuer. If the root fails to revoke a subordinate's certificate due to the subordinate's failure to comply with policy (or due to a breach in security) then trust should be lost in that root issuer.
4. Longer-term, I believe Mozilla should insert itself in the chain of trust through PKI in the certs published with their technology, so it can revoke trust in a particular CA (e.g. through OCSP) without needing to republish their code to resolve such a breach.