[cryptography] Diginotar Lessons Learned (long)

Marsh Ray marsh at extendedsubset.com
Wed Sep 7 11:38:55 EDT 2011

On 09/07/2011 10:00 AM, Peter Gutmann wrote:
> Ian G<iang at iang.org>  writes:
>> Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
> Actually I'm not sure that DigiNotar was "the bottom", since they seem to have
> been somewhat careful about the certs they issued.  "The bottom" is the cert
> vending machines that will issue a cert to absolutely anyone, verified only by
> Ben Franklin.  There are still plenty of those left.

Wasn't "Extended Validation" with its special green URL widget supposed 
to be exactly this user-observable difference that would allow the 
"better" CAs to differentiate themselves in the market?

DigiNotar was EV.

Do we need then a whole spectrum of "Super Validation", "Hyper 
Validation", and "Ludicrous Validation" to address the ridiculous 
deficiencies found in these current pwned EV CAs?

I think I know the answer to that. It won't help to add another 9 or two 
to the reliability statistic of some CAs because the system itself is 
structurally unsound.

- Marsh

More information about the cryptography mailing list