On Nov 1, 2012, at 9:29 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote:

> This is about barely capable sysadmins. 
> Different problem.

>From the perspective of the relying party (me, caring about making a secure 
>connection to my bank), the problems are indistinguishable. A CA who retains a 
>sysadmin who is barely capable deserves less trust than one who retains 
>sysadmins who are capable.

My bank, when trying to decide which CAs might get removed from the root piles 
in the future, should also see the problems as indistinguishable. That is, I 
would hope that my bank would pick a CA who is capable and non-ossified so 
that, when the incapable and ossified CAs are removed from the root piles, my 
bank doesn't need to get a new cert.

I would not mind if adoption of certificate transparency hastens the shedding 
of barely-capable CAs; the one-time hassle for some users would be far 
outweighed by the longer-term benefit to the security of the Internet.

--Paul Hoffman
therightkey mailing list

Reply via email to