[SSL Observatory] SSL CA compromise in the wild

[Peter Gutmann]

Ludwig Nussel <ludwig.nussel at suse.de> writes:

>The domain registry could simply issue the certificate at the same time it
>assigns the domain name.

This was proposed over here (NZ), but in practice it doesn't work.  The
problem is that commercial PKI assumes that certificate issue is an incredibly
laborious, heavyweight operation where you're pressing certs out of titanium
using a steam-powered press in your basement.  For a registar to simply say
"this org.registered this domain with us, and here's the cert to go with it"
isn't economically or practically feasible, because the cost and effort of
getting a trusted cert into the browsers is too high.

(Which is really depressing, because the org.that's in the best position to
match certs to domain names, can't).

Peter.