[cryptography] Bonding or Insuring of CAs?

Natanael natanael.l at gmail.com
Fri Jan 25 19:11:59 EST 2013

On topic for the thread: I don't *think* there's currently any insurance
companies with special policies for CA:s. There might be about 600
organizations that can issue SSL certs according to EFF, but there's more
insurance companies than that in the world. Most of them probably don't
have many CA:s as clients.


About what's on/off topic: Well, I guess many would agree that a strong
cryptographic algorithm/protocol is useless if the implementation is bad,
so that would be relevant (like SSL and relying on CA:s). If you are
interested about cryptography, I assume you want it to be used right. But
then again, there's a limit for when it's too far off topic. So I guess the
real question is *what is too off-topic*? I guess we need some consensus
about what's too off topic. It makes sense to talk about why a clever
algorithm that is useless *is* useless (like most of quantum crypto). But
if a question about insurance companies and their incentives to push a CA
to improve security strays into talk about general insurance company
policies or even away from anything related to security or trust, that's
too far off topic IMHO. But a discussion about the incentives for CA:s do
do the right thing seems enough on topic to me, because SSL as designed is
useless without secure CA:s (not considering Perspectives or MonkeySphere
unless either gets momentum enough for widespread use). Making SSL work in
real life is on topic for this list, right? That's what I'm assuming.

If somebody wants there to be a pure cryptography mailing list and separate
more generic one (like this one currently is), I think that person would
have to try starting a more strict crypto mailing list, because I don't
think most people here would want the rules here to get stricter or that
they would want to switch to a different list that would be just like this
one is now. We also don't want too many different lists.

2013/1/25 Paul Hoffman <paul.hoffman at vpnc.org>

> Since there isn't a strong list moderator here, I gotta ask: is this (and
> similar PKIX-is-broken threads) on-topic for this mailing list? Regardless
> of how much I agree with the sentiment, it seems to have nothing to do with
> cryptography. Maybe someone should set up a post-pki mailing list for such
> threads? (Or maybe I should be less cranky?)
> --Paul Hoffman
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130126/4109dd26/attachment.html>

More information about the cryptography mailing list