On Mon, 4 Oct 2010, Phillip Hallam-Baker wrote:
2) Sanction CAs that issue unauthorized certificates
What would you say a valid sanction would be for a CA that issues a bad certificate for 10 major websites like Mozilla and Yahoo? What should the sanction be for a CA whose reseller's subCAs issues such bad certificates? What would the sanctions be for non-FQDN EV certs issued? What would the current total sanction be for Comodo, a player who has someone as honourable as you working for them based on last year's events plus EV violations detected via the SSL observatory data? How could an external party review the set of unknown serials revoked by Comodo to determine the kind/amount of sanction? Would Comodo's "licencse" have been revoked, or would the sanctions have been limited by money? If so, would the money be in absolute value or percantage of profit/turnover? What would or could Comodo have done differently if such a sanction had been applied? There is really only one sanction everyone can determine by themselves to apply to any CA, the decision to trust them more or less then themselves. If the latter, DNSSEC with DANE is an excellent choice. Feel free to interpret DANE as each TLS owner's "sanction". Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop