And the same holds for: * Has offered SSL on every port for 3 years * Has used a particular DNS service
If just one thing changes then there may be an innocent explanation but if all three change and it is a high trafficked site then it probably deserves a person (and I mean a person) taking a look at the situation. Continuity is a powerful tool. If we choose to use it we should look at the complete range of problems it might address. For example, updates to application software. Isn't that an area where a continuity of key model might pay huge dividends? I know that it would certainly help our positive veting based AV product. If every software product was signed it would immediately reduce the problem of tracking code from tracking a few hundred million separate binaries to tracking a few million keys of which maybe 1% account for 80% of all the wealth, sorry binaries. Again, the proposals that involve a notary, what else might those be useful for? On Thu, Jan 26, 2012 at 10:59 PM, Tom Ritter <[email protected]> wrote: > The discussion about what is and isn't in scope and whether we should > try to fix DNS theft/transfer as a single example reminded me of this > slide deck from Peter Gutmann: > http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf that talks > about shades of grey when assessing riskiness of a site. If a > certificate was used consistently from a certain CA for 3 years and > hosted in California, then switches to a Russian CA and host - even if > it's CA-signed, that's suspicious. > > -tom > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey -- Website: http://hallambaker.com/ _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
