Florian Weimer wrote:

There are simply too many of them, and not all of them implement
checks for conflicts.  I'm pretty sure I could legally register
"Metzdowd" in Germany for say, restaurant service.

This indeed is the crux of the weakness of the SSL/secure browsing/CA system. The concept called for "all CAs are equal" which is an assumption that is easily shown to be nonsense.

Until that assumption is reversed, the secure
browsing application is ... insecure.  (I of
course include "no CA" and "self-signed certs"
within the set of "all CAs.")

The essence of any fixes in the browsers should
be to address the (rather fruitful) diversity
amongst CAs, and help the user to make choices
amongst the brands of same.

Some CAs are more equal than others... and the
sooner a browser recognises this, the better.

These bodies could issue logo certificates.

These certificates would only have value if there is extensive
verification.  We probably lack the technology to do that cheaply
right now, and the necessary level of international cooperation.

I'm not sure I understand how logo certs would work, as there is still the possibility of same being issued by CA-Nigeria and having remarkable similarity to those issued by USPTO.

Until the CA is surfaced and thrust at the face
of the user, each browser's 100 or so root CAs
will be a fundamental weakness.  Including of
course the absence of CA, which is something
that is nicely hidden from the user.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to