On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann
Some more amusing anecdotes from the world of PKI:
Not to be too contrary (though at least a little) - not all of these
are really PKI failures are they?
- There's malware out there that pokes fake Verisign certificates into the
Windows trusted cert store, allowing the malware authors to be their own
The malware could just as easily fake the whole UI. Is it really
PKI's fault that it doesn't defend against malware? Did even the
grandest supporters ever claim it could/did?
- CAs have issued certs to cybercrime web sites like
https://www.pay-per-install.com (an affiliate program for malware
installers), because hey, the Russian mafia's money is as good as anyone
Similarly here - non-EV CAs bind DNS names to a field in a
certificate. No more. They don't vouch for the business being run,
and in any case any such audit would be point in time anyway. I
suppose way back when people promised that certs would do this, but
does anyone believe that anymore and have it as an expectation?
Perhaps you're setting the bar a bit high?
BTW - do you have pointers to most of the things you've reported? I'd
love to get the full sordid details :)
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com