On Tue, Sep 10, 2013 at 05:47:55PM -0400, John R Levine wrote:
I think we're entering the tinfoil zone here. Comodo is one of the
largest CAs around, with their entire income depending on people
paying them to sign web and code certs because they are seen as
trustworthy.
You might want to watch first half of Moxie Marlinspike's presentation
at Black Hat 2011, "SSL And The Future Of Authenticity". It's not
entirely clear to me that his proposed solution is the correct one,
but his problem statement of why CA's can't be trusted to do a good
job can be found here:
http://www.youtube.com/watch?v=Z7Wl2FW2TcA
How likely is it that they would risk their reputation and hence
their entire business by screwing around with free promo S/MIME
certs?
Watch the video; note that removing Comodo from the list of acceptable
CA's is really not practical, so there really is no incentive for them
to do a good job.
- Ted