[SSL Observatory] Number of CAs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Dec 7 13:09:53 PST 2011


On 12/07/2011 03:43 PM, Phillip Hallam-Baker wrote:
> What the CAs are willing to do and what they can do are likely to be two
> different things.
> 
> The problem that comes up is that if CA X has created an intermediary for
> an external organization it is going to be for a customer. That customer
> relationship is going to be governed by a contract and the terms of that
> agreement may not have anticipated revealing the information at issue.

The trouble appears to be that the people put at risk by these secret
intermediaries are the relying parties, who are not the CA's customers.

It sounds to me like you're saying the incentives underlying the CA
model are fundamentally broken, but it's possible that i'm just
projecting what i already believe onto your statement.

Do you think the incentives underlying the current CA model are broken?

> I expect this to be fixed, but fixing it is far from simple.

Does your expectation of a fix include a realignment of the incentives?
 If so, I'm sure i'm not the only person on this list who would be
interested in hearing the details.

I appreciate your willingness to engage in constructive dialog in public
about how to address these problems.  It's commendable, and i wish more
CA representatives were as willing to confront the situation.

Regards,

	--dkg

PS i consider haggling over whether there are 50 possible weakest-links
or 650 possible weakest-links to be kind of a distraction.  Even 50 is
still far too large for a weakest-link component in a system, and of
course i (and everyone else, ttbomk) actually have no idea how many
not-publicly-visible intermediate CAs might already exist.  But I'd be
willing to pretend that the number is 50 if it meant we could focus
discussion on the systemic issues instead of on the count.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111207/7ff4b7cc/attachment.sig>


More information about the Observatory mailing list