[SSL Observatory] Number of CAs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Dec 12 16:44:32 PST 2011
Chris Palmer <snackypants at gmail.com> writes:
>So, what's the way forward with this line of reasoning, again?
The OP said "this is an analogy for browser PKI". I said "no this is probably
a better analogy".
That was about as far as we'd gone :-).
Having said that, it does allow you to reason about ways out. For example
what if the browsers provided a mechanism where a CA could make a statement
like "any time you see a certificate from _our CA_ (not 'any CA at all', just
_our CA_) you can be assured that it's a legitimate business that will protect
your credit card details (e.g. by being PCI-DSS certified) and not infect your
machine with malware (via a third-party audit/scan)" (and if you want to get
pedantic, add an implied "to the best of our ability to tell" to the above
statements).
Or what if the browsers allowed something other than "pay a CA or your
customers will be scared away" as a security mechanism?
Peter.
More information about the Observatory
mailing list