Hi, On Thu, Sep 8, 2011 at 6:20 PM, Andy Steingruebl <[email protected]>wrote:
> On Thu, Sep 8, 2011 at 1:30 AM, Ralph Holz <[email protected]> wrote: > > Hi, > > > > I (still) cannot believe how Symantec reacts to the DigiNotar breaches - > > basically ignoring the known shortcomings: > > > > > http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters > > To be contrarian for a moment.... > > In the "old days" ( a few months ago) the only really difference for a > customer between most CAs was how widely their trust was distributed. > What platforms (Windows, which mobile phones, etc). Their customers > didn't have to care about quality, and really didn't have to care > about the CA going away, except if the CA went bankrupt or > something... > > Today, maybe that has changed ever so slightly? If a customer now > fears that their/A CA will actually get de-listed from the popular > platforms, thus causing them an outage, maybe customers start > demanding CAs that are less likely to get de-listed? Maybe ones that > can demonstrate better security controls, or somesuch? > I don't expect the average Joe to know which security controls are better than others and, in turn, I don't expect him to tell an untrustworthy CA from yet-another-CA anytime soon. Even if he could (w.r.t. security controls for the verification of the claimed identity), the incentives are misaligned as the consumers strive for cheaper certificates and issuers for higher margins. The possibility exists for the CA industry to try to self-regulate, issuing security mandates to comply with -- which are not necessarily right, well focused or inexpensive (a PCI DSS deja vu). Solving the PKI failures we are experiencing requires a multi-dimensional approach. Information asymmetries need to be reduced. At the same time, we need to address the architectural issues; as noted by Peter: "Universal implicit cross-certification makes the entire system as weak as the weakest link". > This isn't to say it justifies or supports the marketing campaign, but > perhaps there is a real message hidden in there after all? > > - Andy -- alfonso blogs at http://Plaintext.crypto.lo.gy tweets @secYOUre
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
