- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 27 May 2008 14:23:20 +0200
- To: yngve@opera.com, johnath@mozilla.com, pbaker@verisign.com
- Cc: public-wsc-wg@w3.org
One side effect of the Debian SSL key generation disaster is that anybody who got hold of one of the affected *public* certificates will be able to impersonate that site until the certificate is revoked -- the private keys are known, after all. Affected sites apparently include at least one major content-delivery network. I wonder what we can expect in terms of mass revocation of affected certificates, in terms of distributing these CRLs to users, or possibly even in terms of blacklisting any affected certificates, even without participation from the CAs -- after all, the current situation creates a significant exposure which is *not* healed by sites changing their keys. (Some quick poking at published CRLs seems to show no significant increase in revocations when comparing May to prior months, which makes me mildly nervous.) Anybody care to shed some light on the current thinking? Yngve? Johnath? Phill? Thanks, -- Thomas Roessler, W3C <tlr@w3.org> +33-4-89063488
Received on Tuesday, 27 May 2008 12:23:57 UTC