[cryptography] this house believes that user's control over the root list is a placebo
James A. Donald
jamesd at echeque.com
Sun Jun 26 06:33:45 EDT 2011
On 2011-06-26 7:50 PM, Ralph Holz wrote:
> On moz.dev.sec.policy, the proposal is out that CAs need to publicly
> disclose security incidents and breaches. This could actually be a good
> step forward. If the numbers show that incidents are far more frequent
> than generally assumed, this would get us away from the "low frequency,
> high impact" scenario that we all currently seem to assume, and which is
> so hard to analyse. If the numbers show that incidents are very rare -
> fine, too. Then the current model is maybe not too bad (apart from the
> fact that one foul apple will still spoil everything, and government
> interference will still likely remain undetected).
The most common security breach is probably that a government or
powerful private group launches a man in the middle attack. Are CAs
going to report that? Seems unlikely.
On tor, a website is identified by the hash of its public key.
Thus the infamous silk road is: http://ianxz6zefk72ulzz.onion/index.php
If it had been on the regular web, in very short order, it would have
been redirected to the DEA, and the CAs would have given the DEA a
More information about the cryptography