Hi, On 02/14/2012 04:20 PM, Adam Back wrote: > My point is this - say you are the CEO of a CA. Do you want to bet > your entire company on no one ever detecting nor reporting the MITM > sub-CA that you issued? I wouldnt do it. All it takes is one savy > or curious guy in a 10,000 person company. > > Consequently if there are any other CAs that have done this, they now > know mozilla and presumably other browsers are on to them and they > need to revoke any mitm sub-CA certs and stop doing it or they risk > their CA going bankrupt like with diginotar.
Yes, I got that. I just think it's not how a normal CEO would react if TrustWave had been kicked out *after* confessing what they'd done. If that confession had been met with punishment, CAs would have had only an incentive to hide, but not to make further confessions. That's why I said I like Marsh's proposal: incentives are now to make up for past mistakes, *and* take precautions they are not repeated. That's a net gain in security for everyone, and that's why I was against kicking out TrustWave. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
