[Cryptography] TB2F CAs as (un)official browser policy

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Mar 19 20:45:15 EDT 2015


Peter Bowen <pzbowen at gmail.com> writes:

>With due respect, you are not representing the thread correctly.  The 
>discussion was about whether to allow certs that were issued before the 
>cutoff or just distrust all certs issued by the CA..

I can't see that in the thread, there were a bunch of replies along the lines 
of (to quote one message) "If they can't follow the rules, they need to go", 
and then a longish discussion on removing trust bits vs. removing the CA cert.  
The bugzilla entry (https://bugzilla.mozilla.org/show_bug.cgi?id=1145270) says 
the same thing, "pull the cert", with replies indicating that it's been pulled 
(or at least that a code update to do so is in the pipeline).

>P.S. You might want to make clear that you mean Digicert Sdn, not DigiCert 
>Inc.  They are two unrelated companies and, as far as I know, DigiCert Inc 
>has no issues.

Sure.  So there are a number of CAs all called Digicert, the one I was 
referring to was the Malaysian (bad) Digicert, not any of the other 
(apparently OK) Digicerts.

It's also been pointed out that the figure given was for validations of the 
cert by Mozilla clients rather than number of certs issued.  I assumed it was 
a glitch in reporting the figures since I couldn't imagine that Mozilla apps 
would report all cert validations back to Mozilla ("[Mozilla telemetry] may 
collect anonymized site visit information in some circumstances, such as when 
a secure browsing connection fails to connect, or for some experiments"), but 
apparently they do.

Peter.


More information about the cryptography mailing list