Hi Arshad,
It occurs to me that we're almost there.
On 22/09/11 02:30 AM, Arshad Noor wrote:
Thirdly, lets assume that the compromised CA has *explicitly* entered
into a cross-certification agreement with one or more other TTP CAs.
Right, they got themselves listed by the browsers, who hid the CAs under
dialog-camo. This is Peter's universal implicit cross-certification.
That fact. Plus this result:
Are there problems with PKI? I have already said, undoubtedly. But,
these are "certificate manufacturing and distribution" problems that
must be addressed. They are not a fundamental weakness of PKI itself.
And we're there. Causality. To address the certificate manufacturing
and distribution problem (aka the race to the bottom) then you need to
address the universal implicit cross-certification.
P.S. The use of the term "universal implicit cross-certification"
only serves to add confusion to an already complex field; you are the
only one that uses it (3 of the top 5 responses in a Google search
of this term are from this thread; the remaining two come from your
paper and presentation at IDTrust from some years ago). It took me
a while to realize that its just your term for "independent trust-
chains" in the browser. It might help the PKI community if we called
a spade a spade. Thank you.
Probably what is confusing to the PKI community is that you've stepped
outside your theoretical models into the world of business. In
business, if we certify and hide, then we start a race to the bottom.
This is why branding is so important in business; because it gives the
company a reason to establish a quality. In the CA world, the decision
of the vendors to unbrand the CAs caused them to not need a quality
approach, just a compliance approach.
It's not personal :) It's just business.
You see the same effect of compliance in other industries, the famous
example we talk about is Sarbanes-Oxley and securitization and the race
to global bankruptcy :)
x
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography