Marsh Ray <[email protected]> writes: >The CAs can each fail on you independently. Each one is a potential weakest >link in the chain that the Relying Party's security hangs from. So their >reliability statistics multiply: > >one CA: 0.99 = 99% reliability >two CAs: 0.99*0.99 = 98% reliability >100 CAs: 0.99**100 = 37% reliability
I realise that this is playing with numbers to some extent (i.e. we don't know what the true reliability figure actually is), but once you take it out to what we currently have in browsers: 500 CAs: 0.6% reliability. Thousands (via sub-CAs): Effectively zero. In other words once you get to the current morass of auto-trusted CAs, failures of the kind we've been seeing are pretty much guaranteed. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
