On 18/09/11 2:59 PM, Arshad Noor wrote:
On 09/17/2011 09:14 PM, Chris Palmer wrote:
Thus, having more signers or longer certificate chains does not reduce
the probability of failure; it gives attackers more chances to score a
hit with (our agreed-upon hypothetical) 0.01 probability. After just
100 chances, an attacker is all but certain to score a hit.
Agreed. But, that is just a consequence of the numbers involved.
You guys have a very funny way of saying probability equals 100% but
hey, ... as long as we get there in the end, who am I to argue :)
The real problem, however, is not the number of signers or the length
of the cert-chain; its the quality of the "certificate manufacturing"
process.
Which is a direct consequence of the fact that the vendors unwound the
K6 mistake of PKI (my words), and hid the signature chain (your words).
Hence the commonly cited "race to the bottom."
So, causes and effects.
The real question is, how to reverse the race to the bottom? What tweak
do we have in mind?
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
