[cryptography] Math corrections

Benjamin Kreuter brk7bx at virginia.edu
Sun Sep 18 16:30:06 EDT 2011

On 09/18/2011 03:30 PM, Joe St Sauver wrote:
> Ian asked:
> #Right -- how to fix the race to the bottom?
> Wasn't that supposed to be part of the Extended Validation solution?
> If it has failed at that, and I could see arguments either way, the
> other "natural" solution is probably government regulation. It likely 
> wouldn't be pretty, but imagine:
> -- governmental accreditation of CAs (instead of, or in addition to, 
>    browser vendor/CAB reviews)
> -- governmental minimum price points for regulated products (thereby 
>    eliminating the race to the bottom, or competition on pricing in
>    general)
> -- potentially government required insurance bonds, protecting the 
>    public against negligence or malfeasance
> -- governmental audits/reviews of CA compliance
> -- pressure on third parties to make sure that PCI-DSS and similar
>    regulations mandate use of government approved CAs, only

Which government do you think would be willing to ensure that CAs are
doing their jobs?  The way I see this playing out is that whatever
government performs these audits or grants accreditation would give
preferential treatment to CAs that are willing to issue fake
certificates to law enforcement and intelligence agencies.  I wish I
could trust my own government (the US government) to do this sort of
thing, but a quick look at the Justice Department's policy on
cryptography demonstrates why that is not going to happen.  I cannot
think of any government that would not preferentially certify CAs that
cooperate with that particular government's requests for fake certificates.

To put it another way, governments like having the power to wiretap
criminals, and they want their law enforcement agencies to be able to
perform MITM attacks as part of that wiretapping power.  Why would we
trust the group of people who want to have the ability to perform MITM
attacks to certify a system that is designed to prevent MITM attacks?

-- Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110918/999b8e30/attachment.asc>

More information about the cryptography mailing list