Has any public CA ever had their certificate revoked?

Paul Hoffman paul.hoffman at vpnc.org
Tue May 5 19:06:04 EDT 2009


At 6:44 PM -0400 5/5/09, Jerry Leichter wrote:
>On May 5, 2009, at 1:17 PM, Paul Hoffman wrote:
>>...This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this case) and fixes it, should they be punished? If you say "yes", you should be ready to answer "who will benefit from the punishment" and "in what way should the CA be punished"....
>The same question can be asked about *any* instance of criminal behavior, or of any other kind of behavior that is considered "bad enough" to be worthy of punishment.

Tautologically so.

>As for what your punishment as a "bad CA" should be:  Realistically, in any industry based on trust, the major component of punishment should be loss of trust - which results in people refusing to do business with you any more, which will usually put you out of business. 

Even with this definition, there was no significant punishment in this case. I'm not saying there should be, particularly because the CA cleaned things up fairly rapidly, but only a few people probably have reduced their trust of the CA in question.

>In egregious cases, we send people to jail (where they can spend time with Bernie Madoff).  We also have mechanisms that aren't punishments but deal with the equities of the situation:  They try to right the wrongs.  So if I can show that your malfeasance as a CA led to my losing money, you have to compensate me.

That has never been shown in a case of CAs not following their stated procedures.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list