On Sep 17, 2011, at 8:54 PM, Arshad Noor wrote:
> When one connects to a web-site, one does not trust all 500 CA's in
> one's browser simultaneously;
Actually, that is exactly the situation.
If, and only if, the person operating the browser inspects the certificate
chain and knows what to expect — e.g. that the real accounts.google.com is
signed Verisign -> Thawte -> accounts.google.com — then they can be fooled by
any misuse of any of the ~1,500 signing certificates. In effect, the user
either expects and understands all this complicated stuff, or they expect and
understand one bit of information ("Did I get a padlock in the URL bar or not").
Obviously, people don't know what exact certificate chains to expect for
arbitrary sites.
Because the information available to most people is just that one bit, they are
exposed on every connection to every signer. Thus, having more signers or
longer certificate chains does not reduce the probability of failure; it gives
attackers more chances to score a hit with (our agreed-upon hypothetical) 0.01
probability. After just 100 chances, an attacker is all but certain to score a
hit.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography