On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann
<pgut...@cs.auckland.ac.nz> wrote:
> Some more amusing anecdotes from the world of PKI:


Not to be too contrary (though at least a little) - not all of these
are really PKI failures are they?

> - There's malware out there that pokes fake Verisign certificates into the
>  Windows trusted cert store, allowing the malware authors to be their own
>  Verisign.

The malware could just as easily fake the whole UI.  Is it really
PKI's fault that it doesn't defend against malware?  Did even the
grandest supporters ever claim it could/did?

> - CAs have issued certs to cybercrime web sites like
>  https://www.pay-per-install.com (an affiliate program for malware
>  installers), because hey, the Russian mafia's money is as good as anyone
>  else's.

Similarly here - non-EV CAs bind DNS names to a field in a
certificate. No more.  They don't vouch for the business being run,
and in any case any such "audit" would be point in time anyway. I
suppose way back when people "promised" that certs would do this, but
does anyone believe that anymore and have it as an expectation?
Perhaps you're setting the bar a bit high?

BTW - do you have pointers to most of the things you've reported?  I'd
love to get the full sordid details :)

- Andy

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to