[SSL Observatory] Number of CAs
Ben Wilson
ben at digicert.com
Thu Dec 8 09:44:06 PST 2011
I think this group needs to define the problem more accurately. If you are
not saying it is the sheer number of CAs, then are you saying it is an issue
of control and auditability? It seems that you are groping at the problem
without clearly explaining what it is. I think what some of you are saying
is that you are concerned about the control over use of the CA keys that you
trust. If that is the issue, then it needs to be presented directly that
way so that the solution can be directed to the problem. It reminds me of
the patient who expects the doctor to diagnose the illness by merely saying
that his belly hurts.
-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Jacob Appelbaum
Sent: Wednesday, December 07, 2011 9:21 PM
To: observatory at eff.org
Subject: Re: [SSL Observatory] Number of CAs
On 12/07/2011 06:27 PM, Phillip Hallam-Baker wrote:
> If you think 50 CAs is too many then make your case based on the number
> there is support for rather than inflating it.
All of this reminds me of a fantastic joke from the wonderful book
Stasiland:
Herr Bohnsack starts with a joke. "The USA, the Soviet Union and the GDR
want to raise the Titanic," he says. "The USA wants the jewels presumed
to be in the safe, the Soviets are after the state-of-the-art
technology; and the GDR" - he downs his Korn for dramatic pause - "the
GDR wants the band that played as it went down."
Out of fifty or six hundred and fifty, I still have two keys that could
be used for MITM on a large number of targets. One key has been
released[0], the other has not[1].
So what's the case?
I was able to become a valid CA at all. Two really. In some
circumstances, I'm still able to sign things as if I was a valid CA.
That's a pretty silly security system. Though I do appreciate that
you're willing to sing the chorus with the CA band as the X509 security
ship sinks!
All the best,
Jacob
[0]
https://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008
400.html
[1] http://www.win.tue.nl/hashclash/rogue-ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/7f5b9b98/attachment.bin>
More information about the Observatory
mailing list