[NB: CC'd to the randombit cryptography list, since this is an interesting point for discussion].
Ian G <i...@iang.org> writes: >What we'll likely see now is a series of breaches at multiple levels to >acquire and misuse certs. We've seen compromises in the past, but what makes >this new is that we have evidence of an aggressive attack using the cert. I wonder if we're going to see something like the four-minute-mile phenomenon, until Roger Bannister did it, it was thought to be impossible, but once he'd proven it was possible an avalanche of others followed his lead. So now that we've had repeated public cases showing you can own a CA, will others follow? (Two possible counterarguments: (1) For all we know this has been going on forever, but noone's ever noticed since the CAs, in some cases in collusion with the browser vendors, have kept quiet and hoped no-one would notice, and (2) Since the value provided by browser PKI is near zero, there's no point to owning a CA for commercial attackers, so few will bother apart from hackers showing off). Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography