I found the following comments of Taher Elgamal interesting, "time for some Internet entity to start to collect reputation data on CAs" and "it would have been so much easier for the browser to sign CA root keys instead of just hard-coding."
http://www.darkreading.com/authentication/167901072/security/news/231901107/ on-trusting-certificate-authorities.html -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Peter Gutmann Sent: Saturday, November 12, 2011 7:34 PM To: [email protected]; [email protected] Subject: Re: [SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists] Ralph Holz <[email protected]> writes: >You see, all these PKI problems are well-known, and no-one has come up with >sensible solutions in the past decades. I think as long as the industry can keep layering epicycles upon epicycles for PKI rather than looking at, and addresing, the underlying problem, we'll never get any real solution, or even real progress. Look at the response to the Diginotar meltdown, it's been to add another couple of epicycles [0] and then sit back and wait for the next, inevitable, one to hit us, the exact same strategy that failed the previous twenty times it was tried [1]. Peter. [0] I'm using the epicycles concept in its popularly-disseminated sense as an analogy, not necessarily the historically correct one, which can be debated endlessly. [1] The most popular form of the epicycle story ascribes 80 to the Ptolemaic system, so we have a while to go yet.
smime.p7s
Description: S/MIME cryptographic signature
