<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <br>

    On 06/14/2013 06:39 PM, From Gervase Markham:

    <blockquote cite="mid:51BB3927.6000208@mozilla.org" type="cite">

      <pre wrap="">On 14/06/13 16:16, Eddy Nigg (StartCom Ltd.) wrote:

</pre>

      <blockquote type="cite">

        <pre wrap="">Perhaps read the communication preceding your replies where Rick

explicitly confirmed that they are used on HTTP servers using HTTP over

SSL/TLS.

</pre>

      </blockquote>

      <pre wrap="">

But browsers don't talk the protocol they use on top.</pre>

    </blockquote>

    <br>

    I don't know, but does it matter really? If somebody can access it,

    he/she can also learn whatever protocol that is.<br>

    <br>

    <blockquote cite="mid:51BB3927.6000208@mozilla.org" type="cite">

      <pre wrap="">In this case, there are no browser users who visit the servers

concerned. It is, I submit, Visa's and the issuing bank's responsibility

to assess the risk of using 1024-bit certificates on those connections,

and ban them when they think they need banning.</pre>

    </blockquote>

    <br>

    Isn't it Google's responsibility then to assess the risk if it wants

    to use 1K keys? So where exactly do you want to draw the line?  <br>

    <br>

    If it's Google you don't agree but if it's Visa you agree? And if

    it's a user using some outdated router do you agree too? Maybe only

    for Alexa top 100 host names? Else?<br>

    <br>

    <blockquote cite="mid:51BB3927.6000208@mozilla.org" type="cite">

      <pre wrap="">This was clearly a CA which didn't know what it was doing.

</pre>

    </blockquote>

    <br>

    Probably - but their offense was first of all that they issued 512

    bit keys (which might not be such a bad thing after all following

    your logic). Then they were non-revokable. You can find such

    non-revokable certificates [*] also from other CAs apparently. And

    then one might ask if we need any rules at all...<br>

    <br>

    [*]

<a class="moz-txt-link-freetext" href="http://news.netcraft.com/archives/2013/05/23/would-you-knowingly-trust-an-irrevocable-ssl-certificate.html">http://news.netcraft.com/archives/2013/05/23/would-you-knowingly-trust-an-irrevocable-ssl-certificate.html</a><br>

    <br>

    <br>

    <div class="moz-signature">

      <table border="0" cellpadding="0" cellspacing="0">

        <tbody>

          <tr>

            <td colspan="2">Regards </td>

          </tr>

          <tr>

            <td colspan="2"> </td>

          </tr>

          <tr>

            <td>Signer: </td>

            <td>Eddy Nigg, COO/CTO</td>

          </tr>

          <tr>

            <td> </td>

            <td><a href="http://www.startcom.org">StartCom Ltd.</a></td>

          </tr>

          <tr>

            <td>XMPP: </td>

            <td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>

          </tr>

          <tr>

            <td>Blog: </td>

            <td><a href="http://blog.startcom.org">Join the Revolution!</a></td>

          </tr>

          <tr>

            <td>Twitter: </td>

            <td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>

          </tr>

          <tr>

            <td colspan="2"> </td>

          </tr>

        </tbody>

      </table>

    </div>

    <br>

  </body>

</html>