[SSL Observatory] SSL CA compromise in the wild

Ali-Reza Anghaie ali at packetknife.com
Wed Mar 23 17:51:37 PDT 2011


That also creates a whole new interesting set of problems w/ domain
squatting and transfers. Conceptually it's a better start along with
transitioned to DANE (w/ mods) and DNSSEC (across all TLDs) then where
Comodo has "matured" to though. :-/

On Thu, Mar 24, 2011 at 12:48 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Ludwig Nussel <ludwig.nussel at suse.de> writes:
>
>>The domain registry could simply issue the certificate at the same time it
>>assigns the domain name.
>
> This was proposed over here (NZ), but in practice it doesn't work.  The
> problem is that commercial PKI assumes that certificate issue is an incredibly
> laborious, heavyweight operation where you're pressing certs out of titanium
> using a steam-powered press in your basement.  For a registar to simply say
> "this org.registered this domain with us, and here's the cert to go with it"
> isn't economically or practically feasible, because the cost and effort of
> getting a trusted cert into the browsers is too high.
>
> (Which is really depressing, because the org.that's in the best position to
> match certs to domain names, can't).
>
> Peter.



More information about the Observatory mailing list