On Sep 17, 2011, at 8:54 PM, Arshad Noor wrote: > When one connects to a web-site, one does not trust all 500 CA's in > one's browser simultaneously;
Actually, that is exactly the situation. If, and only if, the person operating the browser inspects the certificate chain and knows what to expect — e.g. that the real accounts.google.com is signed Verisign -> Thawte -> accounts.google.com — then they can be fooled by any misuse of any of the ~1,500 signing certificates. In effect, the user either expects and understands all this complicated stuff, or they expect and understand one bit of information ("Did I get a padlock in the URL bar or not"). Obviously, people don't know what exact certificate chains to expect for arbitrary sites. Because the information available to most people is just that one bit, they are exposed on every connection to every signer. Thus, having more signers or longer certificate chains does not reduce the probability of failure; it gives attackers more chances to score a hit with (our agreed-upon hypothetical) 0.01 probability. After just 100 chances, an attacker is all but certain to score a hit. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography