[SSL Observatory] Tangent - coercibility of different authority structures
Phillip Hallam-Baker
hallam at gmail.com
Mon Sep 26 06:11:35 PDT 2011
Again, it is not 100 ways.
You keep spreading that claim even though it has been demonstrated to be
false.
What the observatory measured was intermediate certificates with different
subject names. An intermediate certificate does not imply a CA or even an RA
capability.
Repeating a false claim does not make it true.
On Mon, Sep 26, 2011 at 2:22 AM, Matt McCutchen <matt at mattmccutchen.net>wrote:
> On Thu, 2011-09-22 at 13:22 -0400, Phillip Hallam-Baker wrote:
> > That is why I refuse to accept the US controlled DNSSEC hierarchy as
> > the ultimate PKI authority. Whatever the claims to the contrary, the
> > ICANN root CA is under defacto US government control.
>
> Yes, absolutely; I pointed this out before
> (http://www.ietf.org/mail-archive/web/keyassure/current/msg01179.html).
> But DNSSEC is enough of an improvement over the current 100-odd-way
> disjunction that I think I'll do more good by first pushing for DNSSEC
> and then pursuing the deeper changes that will be necessary to
> completely dispense with all-powerful third parties.
>
> > Russia, China and Iran would be fools not to lobby for the DNSSEC
> > scheme because once a single point of control is established it will
> > be a trivial matter for them to usurp it within their own territories.
>
> Huh? If you have the real IANA public key, any attempted usurpation
> outside the CCTLDs controlled by the respective countries is obvious.
> Whereas with the disjunction of 100+ CAs, if Russia has one CA, it can
> defraud users with respect to the entire namespace. If you were
> thinking of a different scenario, could you spell out the outcomes under
> the two systems to help me understand?
>
> I appreciate your intentions of providing distributed control through
> multiple CAs. But as long as the system is structured as a disjunction,
> all it provides is increased attack surface, some of which may lie right
> in the countries in question. Do you propose to change that?
>
> > The only way to control for the threat of government coercion is to
> > ensure that there is transparency in the control mechanism so that a
> > default can be detected and there is an alternative means of providing
> > authentication in the case that a default occurs.
>
> And if the alternative mechanism is weaker, the government will just
> cause the main mechanism to default all the time, so you haven't really
> explained how to reduce the problem. Phill, if you're interested in
> working on this seriously, please poke me and maybe I'll actually set up
> a mailing list like I was thinking of before...
>
> > What is (I think) at issue here is the question of whether a CA would
> > be legally coerced to issue false credentials in order to enable a
> > lawful intercept.
>
> Agreed, that is what I am interested in.
>
> --
> Matt
>
>
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110926/73703cb6/attachment.html>
More information about the Observatory
mailing list