Comment 37 for bug 232340

Revision history for this message
In , Support-cacert (support-cacert) wrote :

Why should money be such an entry criteria? And if Verisign can make such
blatent mistakes we have heard about, what have they or other CAs done we
haven't heard about? And with Verisigns blatent snubbing of everyone everywhere
with their sitefinder service, who's to say they wouldn't do equally dodgy
things to sell certificates for overly inflated prices as well? And if there is
no threat of being revoked what would they care in any case?

In other words a CA trying to be acredited by AICPA can lie through their teeth
on their CPS/policy statements, get established for a few years then do whatever
the hell they like for a buck and nothing will happen to them? What if anything
would happen to AICPA? If they don't request browsers revoke for blatent
breaches that's merely buck passing and all you do is stick your head in the
sand, with your fingers in your ears going la la la la till all the bad press
goes away, is this really being responsible netcitizen after all, or just
shifting blame when shit hits the fan? to an organisation that does nothing, and
has no say after the fact.

I agreed with Frank about pre and post, after all if there is no wacking stick
there is no incentive to be a good corperate citizen.

OCSP for check revoked CAs sounds like a pretty good idea to me, it would reduce
the time that any breaches could spread.

Well SSL shouldn't be trusted as the sugar coated version some companies put
out, there are flaws in all systems where people are involved, for any number of
reasons and intentions. The security itself is fine, but the actual CA processes
well unless there was an indepth study, something I doubt Frank or many have the
time to do on a volunteer basis, then we are all in serious trouble, see above
with my comments about AICPA.