[cabfpub] Misissuance of certificates
gerv at mozilla.org
Thu Jan 21 14:33:31 UTC 2016
On 21/01/16 13:08, Dean Coclin wrote:
> Yes, I confirmed that they do.
I think the first stage, before we decide what to do about the
situation, is for the CA concerned to clearly communicate to HMRC that
if they keep on wanting privacy for such certs they are going to have a
bad time, and they would be very wise to switch to a private PKI.
Secondly, we (or the CA concerned) should ask HMRC what negative
consequences might accrue if a company's ID number becomes public. The
answer should be "none", because any system designed in such a way that
_permanent_ identifiers (as opposed to changeable ones like passwords)
have to be kept secret is very broken. But we will see.
More information about the Public