[cryptography] Diginotar Lessons Learned (long)
marsh at extendedsubset.com
Wed Sep 7 11:38:55 EDT 2011
On 09/07/2011 10:00 AM, Peter Gutmann wrote:
> Ian G<iang at iang.org> writes:
>> Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
> Actually I'm not sure that DigiNotar was "the bottom", since they seem to have
> been somewhat careful about the certs they issued. "The bottom" is the cert
> vending machines that will issue a cert to absolutely anyone, verified only by
> Ben Franklin. There are still plenty of those left.
Wasn't "Extended Validation" with its special green URL widget supposed
to be exactly this user-observable difference that would allow the
"better" CAs to differentiate themselves in the market?
DigiNotar was EV.
Do we need then a whole spectrum of "Super Validation", "Hyper
Validation", and "Ludicrous Validation" to address the ridiculous
deficiencies found in these current pwned EV CAs?
I think I know the answer to that. It won't help to add another 9 or two
to the reliability statistic of some CAs because the system itself is
More information about the cryptography