On 2011-09-18 3:37 PM, Marsh Ray wrote:
Now you may be a law-and-order type fellow who believes that lawful
intercept is a magnificent tool in the glorious war on whatever. But if
so, you have to realize that on the global internet, your own systems
are just as vulnerable to a lawfully executed
On Sun, Sep 18, 2011 at 1:37 AM, Marsh Ray ma...@extendedsubset.com wrote:
On 09/17/2011 11:59 PM, Arshad Noor wrote:
The real problem, however, is not the number of signers or the length
of the cert-chain; its the quality of the certificate manufacturing
process.
No, you have it exactly
On 18/09/11 2:59 PM, Arshad Noor wrote:
On 09/17/2011 09:14 PM, Chris Palmer wrote:
Thus, having more signers or longer certificate chains does not reduce
the probability of failure; it gives attackers more chances to score a
hit with (our agreed-upon hypothetical) 0.01 probability. After just
On 18/09/11 1:54 PM, Arshad Noor wrote:
When one connects to a web-site, one does not trust all 500 CA's in
one's browser simultaneously; one only trusts the CA's in that specific
cert-chain. The probability of any specific CA from your trust-store
being compromised does not change just because
On 09/17/2011 09:14 PM, Chris Palmer wrote:
Thus, having more signers or longer certificate chains does not reduce the
probability of failure; it gives attackers more chances to score a hit with
(our agreed-upon hypothetical) 0.01 probability. After just 100 chances, an
attacker is all but
On 09/17/2011 11:59 PM, Arshad Noor wrote:
The real problem, however, is not the number of signers or the length
of the cert-chain; its the quality of the certificate manufacturing
process.
No, you have it exactly backwards.
It really is the fact that there are hundreds of links in the chain