[cryptography] Math corrections

Ralph Holz holz at net.in.tum.de
Sun Sep 18 13:53:38 EDT 2011


Hi,

> Are there weaknesses in PKI?  Undoubtedly!  But, there are failures
> in every ecosystem.  The intelligent response to "certificate
> manufacturing and distribution" weaknesses is to improve the quality
> of the ecosystem - not throw the baby out with the bath-water.

And how do you propose to go about it? The incentives seem all wrong -
the famous race to the bottom. RapidSSL (2009), Comodo (2008, 2011),
StartSSL (2008, 2011), DigiNotar (2011). With the exception of StartSSL
and RapidSSL (Kurt Seifried only intended to test their systems), all
these attacks have been more or less successful.

There are about 160 root certificates in NSS. Last I looked a few dozen
were in the queue. By how many do you propose to reduce the number? Or
do you propose name restrictions? If so, for whom?

DigiNotar might have had an additional incentive, as a CA that was also
chosen by a government. What did they make of it?

I am not opposed to PKI as in the generic meaning of the term, but how
do you propose to rescue today's eco system? I don't really believe in that.

Ralph

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110918/5308541b/attachment.asc>


More information about the cryptography mailing list