[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]

[Ben Wilson]

I found the following comments of Taher Elgamal interesting, "time for some
Internet entity to start to collect reputation data on CAs"   and  "it would
have been so much easier for the browser to sign CA root keys instead of
just hard-coding."

http://www.darkreading.com/authentication/167901072/security/news/231901107/
on-trusting-certificate-authorities.html 

-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Peter Gutmann
Sent: Saturday, November 12, 2011 7:34 PM
To: holz at net.in.tum.de; observatory at eff.org
Subject: Re: [SSL Observatory] certificates for .local names [was: Re: DFN
and subordinate CA domain-scoped whitelists]

Ralph Holz <holz at net.in.tum.de> writes:

>You see, all these PKI problems are well-known, and no-one has come up with

>sensible solutions in the past decades. 

I think as long as the industry can keep layering epicycles upon epicycles
for 
PKI rather than looking at, and addresing, the underlying problem, we'll
never 
get any real solution, or even real progress.  Look at the response to the 
Diginotar meltdown, it's been to add another couple of epicycles [0] and
then 
sit back and wait for the next, inevitable, one to hit us, the exact same 
strategy that failed the previous twenty times it was tried [1].

Peter.

[0] I'm using the epicycles concept in its popularly-disseminated sense as
an
    analogy, not necessarily the historically correct one, which can be
debated
    endlessly.
[1] The most popular form of the epicycle story ascribes 80 to the Ptolemaic

    system, so we have a while to go yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111114/2e83b8d8/attachment.bin>