To take a real-world example, I can get an e-mail cert from Thawte with my sun.com address . I don't have to get that cert from the sun.com CA . And most e-mail clients will trust that cert for e-mail purposes. In a sense this is good, since there is no sun.com CA for me to get a cert from. But if there was, there would be no way to enforce that the sun.com CA is the only one authorized to sign certs for sun.com e-mail addresses . The name constraints model truly only works if the roots have disjoint name constraints, which they don't today. If there is an intersection of several CAs that you trust to issue the same subject cert, then the problem you described - and many others - can occur. But to fix this would basically eliminate any competition for CA certs .
Not only that make it EASIER beyond belief for governments to intercept traffic and arrest/kill people in their country they didn't like for doing so... Not just china here either as Robert pointed out, I think a guy in south Korea was arrested (released since) for posting political cartoons about politicians...
Imagine if only Verisign could sign .com server certs, and only the French government CA could sign .fr server certs. The prices would skyrocket. Yet, there would be fewer vulnerabilities in that model. The possibility of "duping" a CA, as you put it, would not exist, merely the possibility of the exclusive CA itself being malevolent or incompetent, which is a case that can never be ruled out, but one that can be discovered and dealt with (if in a painful manner).
Imagine what would happen if verisign decided to route all traffic on non-issued domains, oh wait that one already happened...
Yes, it only takes one bad root to mess up the system, but it also only takes one person noticing the incorrect operation to prove that the root CA is acting in bad faith, and remove it.
And given the above context how would you stop a government entrusted to issue only for .cn to be replaced exactly? I think that is a REALLY REALLY bad idea... I wouldn't like it any more for the Australian Government to be in charge of this either with the way the security departments tend to try and follow closely behind their US colleges...
They wanted to at one point have community wireless groups offer wire tap points, not sure exactly how far they got with this ridiculous idea, considering wireless is easy to tap anyways just go park van full of RF gear in close vicinity of an AP and sniff...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
