On 2011-06-26 7:50 PM, Ralph Holz wrote:
On moz.dev.sec.policy, the proposal is out that CAs need to publicly
disclose security incidents and breaches. This could actually be a good
step forward. If the numbers show that incidents are far more frequent
than generally assumed, this would get us away from the "low frequency,
high impact" scenario that we all currently seem to assume, and which is
so hard to analyse. If the numbers show that incidents are very rare -
fine, too. Then the current model is maybe not too bad (apart from the
fact that one foul apple will still spoil everything, and government
interference will still likely remain undetected).
The most common security breach is probably that a government or
powerful private group launches a man in the middle attack. Are CAs
going to report that? Seems unlikely.
On tor, a website is identified by the hash of its public key.
Thus the infamous silk road is: http://ianxz6zefk72ulzz.onion/index.php
If it had been on the regular web, in very short order, it would have
been redirected to the DEA, and the CAs would have given the DEA a
certificate.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
