At 6:44 PM -0400 5/5/09, Jerry Leichter wrote:
>On May 5, 2009, at 1:17 PM, Paul Hoffman wrote:
>>...This leads to the question: if a CA in a trust anchor pile does something 
>>wrong (terribly wrong, in this case) and fixes it, should they be punished? 
>>If you say "yes", you should be ready to answer "who will benefit from the 
>>punishment" and "in what way should the CA be punished"....
>The same question can be asked about *any* instance of criminal behavior, or 
>of any other kind of behavior that is considered "bad enough" to be worthy of 

Tautologically so.

>As for what your punishment as a "bad CA" should be:  Realistically, in any 
>industry based on trust, the major component of punishment should be loss of 
>trust - which results in people refusing to do business with you any more, 
>which will usually put you out of business. 

Even with this definition, there was no significant punishment in this case. 
I'm not saying there should be, particularly because the CA cleaned things up 
fairly rapidly, but only a few people probably have reduced their trust of the 
CA in question.

>In egregious cases, we send people to jail (where they can spend time with 
>Bernie Madoff).  We also have mechanisms that aren't punishments but deal with 
>the equities of the situation:  They try to right the wrongs.  So if I can 
>show that your malfeasance as a CA led to my losing money, you have to 
>compensate me.

That has never been shown in a case of CAs not following their stated 

--Paul Hoffman, Director
--VPN Consortium

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to