<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    On 06/14/2013 06:39 PM, From Gervase Markham:
    <blockquote cite="mid:51BB3927.6000208@mozilla.org" type="cite">
      <pre wrap="">On 14/06/13 16:16, Eddy Nigg (StartCom Ltd.) wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Perhaps read the communication preceding your replies where Rick
explicitly confirmed that they are used on HTTP servers using HTTP over
SSL/TLS.
</pre>
      </blockquote>
      <pre wrap="">
But browsers don't talk the protocol they use on top.</pre>
    </blockquote>
    <br>
    I don't know, but does it matter really? If somebody can access it,
    he/she can also learn whatever protocol that is.<br>
    <br>
    <blockquote cite="mid:51BB3927.6000208@mozilla.org" type="cite">
      <pre wrap="">In this case, there are no browser users who visit the servers
concerned. It is, I submit, Visa's and the issuing bank's responsibility
to assess the risk of using 1024-bit certificates on those connections,
and ban them when they think they need banning.</pre>
    </blockquote>
    <br>
    Isn't it Google's responsibility then to assess the risk if it wants
    to use 1K keys? So where exactly do you want to draw the line?  <br>
    <br>
    If it's Google you don't agree but if it's Visa you agree? And if
    it's a user using some outdated router do you agree too? Maybe only
    for Alexa top 100 host names? Else?<br>
    <br>
    <blockquote cite="mid:51BB3927.6000208@mozilla.org" type="cite">
      <pre wrap="">This was clearly a CA which didn't know what it was doing.
</pre>
    </blockquote>
    <br>
    Probably - but their offense was first of all that they issued 512
    bit keys (which might not be such a bad thing after all following
    your logic). Then they were non-revokable. You can find such
    non-revokable certificates [*] also from other CAs apparently. And
    then one might ask if we need any rules at all...<br>
    <br>
    [*]
<a class="moz-txt-link-freetext" href="http://news.netcraft.com/archives/2013/05/23/would-you-knowingly-trust-an-irrevocable-ssl-certificate.html">http://news.netcraft.com/archives/2013/05/23/would-you-knowingly-trust-an-irrevocable-ssl-certificate.html</a><br>
    <br>
    <br>
    <div class="moz-signature">
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td colspan="2">Regards </td>
          </tr>
          <tr>
            <td colspan="2"> </td>
          </tr>
          <tr>
            <td>Signer: </td>
            <td>Eddy Nigg, COO/CTO</td>
          </tr>
          <tr>
            <td> </td>
            <td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
          </tr>
          <tr>
            <td>XMPP: </td>
            <td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
          </tr>
          <tr>
            <td>Blog: </td>
            <td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
          </tr>
          <tr>
            <td>Twitter: </td>
            <td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
          </tr>
          <tr>
            <td colspan="2"> </td>
          </tr>
        </tbody>
      </table>
    </div>
    <br>
  </body>
</html>