Comment 153 for bug 232340

Nice!

All those policies, all those expensive audits, all those papers, then the fingerprint is checked by phone? Is that the security I should expect from Mozilla?

This has really let me a bit upset, and it means I really should disable every CA when I install my desktop, as I use to do. Then I can re-enable the ones I verify/trust, and add the others that dont have 75k/year to throw away with WebTrust but dont rely on phone for security :/

Also, I would obtain the root certificate using offline, trusted medium, since collision attacks are highly improbable and theoretical, but still possible. I dont know what 3-letter-agencies or multi-billion-dollar-companies have in their basements.

Sure, the policies and other documents are somewhat necessary/useful, but totally useless once the key is downloaded via untrusted medium and checked via untrusted medium (there are many guys that could fake a voice over the phone, you know?).