[cryptography] current limits of proving MITM (Re: Gmail and SSL)

Ben Laurie ben at links.org
Sun Dec 16 12:07:50 EST 2012


On Sun, Dec 16, 2012 at 9:48 AM, ianG <iang at iang.org> wrote:
> Just to nitpick on this point, a CA certainly can claim that they or an
> agent did not sign a certificate.  And, they can provide the evidence, and
> should have the ability to do this:  CAs internally have logs as to what
> they did or did not sign, and this is part of their internal process.
>
> This is because the real world doesn't trust the cryptographic evidence on
> the face of it, we always need to go back to an independent verification of
> some form - a further point against Ben's proposal.

You have not substantiated any points, and this is further nonsense:
if a CA claims they did not sign something which has been signed with
their key, then they are claiming they cannot manage their key. They
are still not acting correctly, either way.



More information about the cryptography mailing list