[cabfpub] SHA-1 Collision Found

Gervase Markham gerv at mozilla.org
Fri Feb 24 18:27:50 UTC 2017

On 24/02/17 10:12, philliph--- via Public wrote:
> Phishing domains are not the only problem that exist. But last night I
> was reading a research paper from an employee of a well known browser
> provider that seemed to suggest that the number of currently valid
> certificates issued by one CA for one phishing target (PayPal) was
> rather higher than the total number of mis-issued certificates from all
> CA compromises ever, DigiNotar included.

If Comodo thinks that issuing a certificate should be an endorsement of
the trustworthiness of the site, they could demonstrate that by being
the first CA to assume liability for fraud conducted by any site they
issue to. That would be a clear statement that "certificate as sign of
trustworthiness" was a viable model that we should move towards. Heck,
if a CA took that step, there might even be a supportive change in
browser UI!


More information about the Public mailing list