Hi, >> Following your argument, in fact, we should have a large DB with Mitm >> certs and incidents already. We don't - but not because CAs would not >> have issued Mitm certs for Sub-CAs, surely? >> >> No, CAs would try to hide the fact that they have issued certs that are >> good for Mitm a corporate network. Some big CAs -- to big too fail even, >> maybe, and what about them? -- have not yet publicly stated that they >> have never issued such certs. I think giving them a chance at amnesty is >> a better strategy. > That penalizes CAs who choose to operate ethically and within the > bounds of contractual agreements. Just sayin....
Well, it's a point one can make. The question is whether pulling someone's root would help the ethical guys so much more, however, or whether having operated un-ethically has given the others so much of an advantage. On the whole, the net gain in security seems better with Marsh's proposal. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
