(Peter Gutmann) on Thursday, May 7, 2009 wrote:

>Paul Hoffman <> writes:
>>Peter, you really need more detents on the knob for your hyperbole setting.
>>"nothing happened" is flat-out wrong: the CA fixed the problem and researched
>>all related problems that it could find. Perhaps you meant "the CA was not
>>punished": that would be correct in this case.
>What I meant was that there were no repercussions due to the CA acting
>negligently.  This is "nothing happened" as far as motivating CAs to exercise
>diligence is concerned, you can be as negligent as you like but as long as you
>look suitably embarassed afterwards there are no repercussions (that is,
>there's no evidence that there was any exodus of customers from the CA, or any
>other CA that's done similar things in the past).
>If a CA in a trust anchor pile does something terribly wrong and there are no
>repercussions, why would any CA care about doing things right?  All that does
>is drive up costs.  The perverse incentive that this creates is for CAs to
>ship as many certificates as possible while applying as little effort as
>possible.  And thus we have the current state of commercial PKI.

It seems to me that there are a number of problems with the current CA
situation. Since no CAs have been identified by name (except Verisign for a
very old problem), it is hard for me to reduce the reputation of a specific
CA. Even if one was identified, it's not clear what I could do to move
business to more responsible CAs.  So my reaction is to say that it's all a
big stinking pile and try to develop systems and procedures that don't rely
on CAs. (e.g. curl with a copy of the server's self-signed certificate, the
Petname toolbar, etc.)

If SSL/TLS had as part of its handshake, a list of CAs that are acceptable
to the client, I could configure my browser with only high-reputation CAs.
This step would probably make it desirable for servers to get certificates
from more than one CA so they could return a certificate signed by an
acceptable CA. It would certainly allow for some market pressure on CAs,
and high reputation CA might be able to charge more for certificates.

(The last time I ran into a case where the server certificate was not
signed by a CA on my browser's default list, I used the 800 number instead.
That was for activating a credit card.)

In addition, I am worried that some countries cyber-warfare department has
a copy of some well-installed CA's signing key and can generate
certificates whenever it wants. When D-day comes, it will spoof DNS and use
the certificates to disrupt the economy of its target country. If we had a
2 level security system, with CAs for the first introduction, and something
more robust for subsequent sessions, these attack scenarios would be less

Cheers - Bill

Bill Frantz        | gets() remains as a monument | Periwinkle
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave | buffer overruns.             | Los Gatos, CA 95032

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to