[Cryptography] TB2F CAs as (un)official browser policy

Peter Bowen pzbowen at gmail.com
Thu Mar 19 13:20:07 EDT 2015

On Thu, Mar 19, 2015 at 4:13 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> An interesting discussion is currently occurring on the Mozilla security
> policy list.  It seems a CA is late in filing an acceptable audit statement
> (the sort in which Ernst and Young said DigiCert was OK, WebTrust said
> TrustWave was OK, PWC said DigiNotar was OK, and so on).  The deciding factor
> on pulling the CA's cert is:
>   Richard Barnes has verified that there's minimal compatibility impact to
>   removing this root certificate. Current telemetry shows that this root has
>   been responsible for 9.57k out of 9.4B validations, or about one in a
>   million.
> OTOH if you're TB2F and get 0wned by Iranian hackers (Comodo, not DigiNotar,
> who weren't TB2F) then nothing happens.  So alongside DigiNotar's cert count,
> we now have another lower bound for the browser vendors' TB2F criteria, 10K
> certs issued isn't enough.


With due respect, you are not representing the thread correctly.  The
discussion was about whether to allow certs that were issued before
the cutoff or just distrust all certs issued by the CA..


P.S. You might want to make clear that you mean Digicert Sdn, not
DigiCert Inc.  They are two unrelated companies and, as far as I know,
DigiCert Inc has no issues.

More information about the cryptography mailing list