[SSL Observatory] Number of CAs
Jacob Appelbaum
jacob at appelbaum.net
Wed Dec 7 20:20:36 PST 2011
On 12/07/2011 06:27 PM, Phillip Hallam-Baker wrote:
> If you think 50 CAs is too many then make your case based on the number
> there is support for rather than inflating it.
All of this reminds me of a fantastic joke from the wonderful book
Stasiland:
Herr Bohnsack starts with a joke. "The USA, the Soviet Union and the GDR
want to raise the Titanic," he says. "The USA wants the jewels presumed
to be in the safe, the Soviets are after the state-of-the-art
technology; and the GDR" - he downs his Korn for dramatic pause - "the
GDR wants the band that played as it went down."
Out of fifty or six hundred and fifty, I still have two keys that could
be used for MITM on a large number of targets. One key has been
released[0], the other has not[1].
So what's the case?
I was able to become a valid CA at all. Two really. In some
circumstances, I'm still able to sign things as if I was a valid CA.
That's a pretty silly security system. Though I do appreciate that
you're willing to sing the chorus with the CA band as the X509 security
ship sinks!
All the best,
Jacob
[0]
https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html
[1] http://www.win.tue.nl/hashclash/rogue-ca/
More information about the Observatory
mailing list