[cryptography] this house believes that user's control over the root list is a placebo

James A. Donald jamesd at echeque.com
Sun Jun 26 06:33:45 EDT 2011


On 2011-06-26 7:50 PM, Ralph Holz wrote:
> On moz.dev.sec.policy, the proposal is out that CAs need to publicly
> disclose security incidents and breaches. This could actually be a good
> step forward. If the numbers show that incidents are far more frequent
> than generally assumed, this would get us away from the "low frequency,
> high impact" scenario that we all currently seem to assume, and which is
> so hard to analyse. If the numbers show that incidents are very rare -
> fine, too. Then the current model is maybe not too bad (apart from the
> fact that one foul apple will still spoil everything, and government
> interference will still likely remain undetected).

The most common security breach is probably that a government or 
powerful private group launches a man in the middle attack.  Are CAs 
going to report that?  Seems unlikely.

On tor, a website is identified by the hash of its public key.

Thus the infamous silk road is: http://ianxz6zefk72ulzz.onion/index.php

If it had been on the regular web, in very short order, it would have 
been redirected to the DEA, and the CAs would have given the DEA a 
certificate.



More information about the cryptography mailing list