On 14/01/13 14:04 PM, Ben Laurie wrote:
On 14 January 2013 06:11, ianG <i...@iang.org> wrote:
More particularly, banks will have a cause of action against their CA, which
has not apparently batted an eye about the breach of the security model.
Sure, so everyone is doing this. Sure, so there is a really good
optimisation argument.
How is any CA involved in this?
The legal theory would be something like this:
CAs issue root certificates which are put into root lists. The CA has a
contract with each vendor that manages and distributes the root list.
That contract should have appropriate controls in it.
If those controls aren't followed by the vendor, or the controls are
inadequate, then the CA is negligent.
Beyond that, there are many devils & details.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
