On Mon, 4 Oct 2010, Phillip Hallam-Baker wrote:

2) Sanction CAs that issue unauthorized certificates

What would you say a valid sanction would be for a CA that issues a bad
certificate for 10 major websites like Mozilla and Yahoo?

What should the sanction be for a CA whose reseller's subCAs issues such
bad certificates?

What would the sanctions be for non-FQDN EV certs issued?

What would the current total sanction be for Comodo, a player who has
someone as honourable as you working for them based on last year's events
plus EV violations detected via the SSL observatory data?

How could an external party review the set of unknown serials revoked by
Comodo to determine the kind/amount of sanction?

Would Comodo's "licencse" have been revoked, or would the sanctions have
been limited by money? If so, would the money be in absolute value or
percantage of profit/turnover?

What would or could Comodo have done differently if such a sanction had
been applied?




There is really only one sanction everyone can determine by themselves
to apply to any CA, the decision to trust them more or less then
themselves. If the latter, DNSSEC with DANE is an excellent choice. Feel
free to interpret DANE as each TLS owner's "sanction".

Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to