Hi, some important points seem missing here. First of all, Mozilla sent a CA communications that clarifies that issuing MitM certificates is not acceptable by the policy (in fact, the policy was *not* clear about that before, this case has never been there). Furthermore, all other CAs (and according to Trustwave, quite a few CAs consider this "common practice"), have been given a deadline by which all of these certificates have to be disclosed (so they can be blocked) and revoked. Any CA not following this faces removal from NSS, which seems a clear statement to me. How is that compatible to "violating the end user"? In fact, revoking the Trustwave CA wouldn't have helped a lot to protect the end-user. It wouldn't have been possible to call out to other CAs and get them to stop their MitM business because every such CA disclosing their MitM cert policy would have been removed as well (otherwise it would be unfair, wouldn't it?). It seems to me that the situation is by far not as easy as some people try to put it. Oh and by the way: Have you heard of any other browser vendor taking *any* steps against Trustwave? Best, Chris On 02/23/2012 01:12 AM, Jeffrey Walton wrote: > It appears to be official. > > Trustwave issued MitM certificates, which is deceptive, unethical, and > contrary to its agreement for inclusion. > > Mozilla just rewarded their violations of trust by continuing their > inclusion. Apparently, agreements between Mozilla and CAs have no > veracity as both are more than happy to violate the end user. > > Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929 > NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/