[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]
Ben Wilson
ben at digicert.com
Mon Nov 14 12:14:40 PST 2011
I found the following comments of Taher Elgamal interesting, "time for some
Internet entity to start to collect reputation data on CAs" and "it would
have been so much easier for the browser to sign CA root keys instead of
just hard-coding."
http://www.darkreading.com/authentication/167901072/security/news/231901107/
on-trusting-certificate-authorities.html
-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Peter Gutmann
Sent: Saturday, November 12, 2011 7:34 PM
To: holz at net.in.tum.de; observatory at eff.org
Subject: Re: [SSL Observatory] certificates for .local names [was: Re: DFN
and subordinate CA domain-scoped whitelists]
Ralph Holz <holz at net.in.tum.de> writes:
>You see, all these PKI problems are well-known, and no-one has come up with
>sensible solutions in the past decades.
I think as long as the industry can keep layering epicycles upon epicycles
for
PKI rather than looking at, and addresing, the underlying problem, we'll
never
get any real solution, or even real progress. Look at the response to the
Diginotar meltdown, it's been to add another couple of epicycles [0] and
then
sit back and wait for the next, inevitable, one to hit us, the exact same
strategy that failed the previous twenty times it was tried [1].
Peter.
[0] I'm using the epicycles concept in its popularly-disseminated sense as
an
analogy, not necessarily the historically correct one, which can be
debated
endlessly.
[1] The most popular form of the epicycle story ascribes 80 to the Ptolemaic
system, so we have a while to go yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111114/2e83b8d8/attachment.bin>
More information about the Observatory
mailing list