Some of you might be interested to know that the New America Foundation held a meeting yesterday to discuss the current strained state of the public CA system for SSL (in which users are exposed to misbehavior by any of 650 CAs from around the world and the governments with the power to coerce them) and potential approaches to improve the situation. See:
http://citp.princeton.edu/events/emerging-threats-to-online-trust/ http://www.newamerica.net/events/2010/online_trust I watched the video after the fact and found the explanation of the problem entertaining but the discussion of potential solutions disappointing. There was a tendency to retreat to stating generalities or digress to other parts of web security. The only suggestion I heard that might actually solve the problem was to use DNSSEC in some fashion, which is also something IETF is looking into (see http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html). I have some thoughts of my own about the issue and would be interested to discuss it with others if I could find an appropriate forum. -- Regards, Matt
