<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
On 03/30/2011 11:33 PM, From John Bradley:<br>
<blockquote
cite="mid:B9929B6C-9230-49BF-9C6B-D3B7920CBF14@ve7jtb.com"
type="cite">
<div>However as you say if people don't manage the certificates in
their root store they are more likely to see this sort of thing.</div>
</blockquote>
<br>
True.<br>
<br>
<blockquote
cite="mid:B9929B6C-9230-49BF-9C6B-D3B7920CBF14@ve7jtb.com"
type="cite">
<div>No CA is imune, sometimes customers shoot themselves in the
foot, generating week keys etc.</div>
</blockquote>
<br>
The better CAs check for that when possible...but it's also correct
there is no 100% always. Otherwise there wouldn't be a bunch of bug
fixes and security updates with any kind of software all the time.<br>
<br>
<blockquote
cite="mid:B9929B6C-9230-49BF-9C6B-D3B7920CBF14@ve7jtb.com"
type="cite">
<div>We have to be able to deal with revoked certificates or we
should not be using TLS security for a key part of openID trust.</div>
</blockquote>
<br>
Revocation status should be certainly checked.<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>