[cryptography] Math corrections

Arshad Noor arshad.noor at strongauth.com
Sun Sep 18 14:21:27 EDT 2011

On 09/18/2011 10:53 AM, Ralph Holz wrote:
> Hi,
>> Are there weaknesses in PKI?  Undoubtedly!  But, there are failures
>> in every ecosystem.  The intelligent response to "certificate
>> manufacturing and distribution" weaknesses is to improve the quality
>> of the ecosystem - not throw the baby out with the bath-water.
> And how do you propose to go about it? The incentives seem all wrong -
> the famous race to the bottom. RapidSSL (2009), Comodo (2008, 2011),
> StartSSL (2008, 2011), DigiNotar (2011). With the exception of StartSSL
> and RapidSSL (Kurt Seifried only intended to test their systems), all
> these attacks have been more or less successful.
> There are about 160 root certificates in NSS. Last I looked a few dozen
> were in the queue. By how many do you propose to reduce the number? Or
> do you propose name restrictions? If so, for whom?
> DigiNotar might have had an additional incentive, as a CA that was also
> chosen by a government. What did they make of it?
> I am not opposed to PKI as in the generic meaning of the term, but how
> do you propose to rescue today's eco system? I don't really believe in that.

Having built dozens of (private) PKIs over the last 12 years, I do
have some ideas on addressing the weaknesses.

Rather than shoot from the hip, the logical way to propose a solution
would be to write a paper on it and submit it to IDTrust 2012 for
discussion.  If it is selected, it will have the merit of having been
reviewed and deemed worthy of discussion.  If not, I will have wasted
only a few reviewers' time.

Arshad Noor
StrongAuth, Inc.

P.S.  IDTrust 2012 is likely to be announced here sometime in the next
few weeks: http://middleware.internet2.edu/idtrust/

More information about the cryptography mailing list