At 9:02 AM +0200 1/4/09, Yoav Nir wrote:
Best we can do is to get the CAs to
(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about
Just to repeat it one more time: #3 does not prevent the published attack.
But still, I don't see Microsoft removing a root CA because one of their
sub-CAs is issuing non-compliant certificates.
It is hard to see Microsoft removing or adding CAs. If anyone knows of a public
interface (mailing list, web site, whatever) for when this happens, by all
means please the world know.
And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/Chrome
people don't want any sites that "only work with Explorer".
At least with respect to Firefox, I think that statement is false.
--Paul Hoffman, Director
--VPN Consortium