Hi Arshad,

It occurs to me that we're almost there.


On 22/09/11 02:30 AM, Arshad Noor wrote:
Thirdly, lets assume that the compromised CA has *explicitly* entered
into a cross-certification agreement with one or more other TTP CAs.

Right, they got themselves listed by the browsers, who hid the CAs under dialog-camo. This is Peter's universal implicit cross-certification.

That fact.  Plus this result:

Are there problems with PKI?  I have already said, undoubtedly.  But,
these are "certificate manufacturing and distribution" problems that
must be addressed.  They are not a fundamental weakness of PKI itself.

And we're there. Causality. To address the certificate manufacturing and distribution problem (aka the race to the bottom) then you need to address the universal implicit cross-certification.


P.S.  The use of the term "universal implicit cross-certification"
only serves to add confusion to an already complex field; you are the
only one that uses it (3 of the top 5 responses in a Google search
of this term are from this thread; the remaining two come from your
paper and presentation at IDTrust from some years ago).  It took me
a while to realize that its just your term for "independent trust-
chains" in the browser.  It might help the PKI community if we called
a spade a spade.  Thank you.

Probably what is confusing to the PKI community is that you've stepped outside your theoretical models into the world of business. In business, if we certify and hide, then we start a race to the bottom.

This is why branding is so important in business; because it gives the company a reason to establish a quality. In the CA world, the decision of the vendors to unbrand the CAs caused them to not need a quality approach, just a compliance approach.

It's not personal :) It's just business.

You see the same effect of compliance in other industries, the famous example we talk about is Sarbanes-Oxley and securitization and the race to global bankruptcy :)
x



iang


_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to