>From a business persons standpoint I can see why they might not use that technical control. They look at it as companies will use whatever they want for their intranets (same reason we have new TLDs resolving as 127.0.53.53). And like most places I'm going to guess that money takes priority over the security of the Internet (And I would say their good name except they are a spin off of the credit agency Equifax).
----------------------------------------------------------------------------------------------- -ITG (ITechGeek) [email protected] https://itg.nu/ GPG Keys: https://itg.nu/contact/gpg-key Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net On Mon, Apr 6, 2015 at 2:59 AM, Jeffrey Walton <[email protected]> wrote: > On Sun, Apr 5, 2015 at 6:25 PM, ITechGeek <[email protected]> wrote: > > So does this mean Iran & the like can stop hacking CAs and buy their own > > Geotrust cert to MITM their population? > > > Yeah, its been around for a while. What's surprising is (or maybe not) > is the CA is still not constraining the organizations even though a > technical control is available to do so. > > Do away with the independent third party that assesses the signing > request, don't bother with the security controls to limit impact of a > bad actor, and then allow the organization to operate on best > behavior. Sigh... >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
