On 09/18/2011 10:53 AM, Ralph Holz wrote:
Hi,
Are there weaknesses in PKI? Undoubtedly! But, there are failures
in every ecosystem. The intelligent response to "certificate
manufacturing and distribution" weaknesses is to improve the quality
of the ecosystem - not throw the baby out with the bath-water.
And how do you propose to go about it? The incentives seem all wrong -
the famous race to the bottom. RapidSSL (2009), Comodo (2008, 2011),
StartSSL (2008, 2011), DigiNotar (2011). With the exception of StartSSL
and RapidSSL (Kurt Seifried only intended to test their systems), all
these attacks have been more or less successful.
There are about 160 root certificates in NSS. Last I looked a few dozen
were in the queue. By how many do you propose to reduce the number? Or
do you propose name restrictions? If so, for whom?
DigiNotar might have had an additional incentive, as a CA that was also
chosen by a government. What did they make of it?
I am not opposed to PKI as in the generic meaning of the term, but how
do you propose to rescue today's eco system? I don't really believe in that.
Having built dozens of (private) PKIs over the last 12 years, I do
have some ideas on addressing the weaknesses.
Rather than shoot from the hip, the logical way to propose a solution
would be to write a paper on it and submit it to IDTrust 2012 for
discussion. If it is selected, it will have the merit of having been
reviewed and deemed worthy of discussion. If not, I will have wasted
only a few reviewers' time.
Arshad Noor
StrongAuth, Inc.
P.S. IDTrust 2012 is likely to be announced here sometime in the next
few weeks: http://middleware.internet2.edu/idtrust/
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography