On Nov 1, 2012, at 9:29 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote:
> This is about barely capable sysadmins. > > Different problem. >From the perspective of the relying party (me, caring about making a secure >connection to my bank), the problems are indistinguishable. A CA who retains a >sysadmin who is barely capable deserves less trust than one who retains >sysadmins who are capable. My bank, when trying to decide which CAs might get removed from the root piles in the future, should also see the problems as indistinguishable. That is, I would hope that my bank would pick a CA who is capable and non-ossified so that, when the incapable and ossified CAs are removed from the root piles, my bank doesn't need to get a new cert. I would not mind if adoption of certificate transparency hastens the shedding of barely-capable CAs; the one-time hassle for some users would be far outweighed by the longer-term benefit to the security of the Internet. --Paul Hoffman _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey