On Mon, 20 Nov 2000 cgripp@axcelerant.com wrote:
So what is the acceptable threshold of errors? 1 in a 1000000? What if that 1 is the invalid certificate that allows your bank account to be compromised. CA's should either be 100% or 0% trustworthy. I do agree that there needs to be a protocol to allow CA's to compare databases of certificates for mismatches etc that might reveal an attempt at publishing a fraudulent certificate.
Gripp
For a CA, I'd say 1 in 10^7 requests, tops, would be an acceptable rate of getting spoofed. But if it were for a transaction I was really paranoid about, I might require an error rate of 1 in 10^10 or less. Modulo standard statistical methods regarding sample sizes, of course -- a new CA that's never been spoofed but has only served 10^8 requests, should be regarded as a hell of a lot less reliable than a cert that's gotten spoofed 1000 times out of 10^11 requests, just because of sample sizes and number of significant figures involved. But my point is we don't even have a protocol for swapping and updating information about CA's reliability rates, so there's no way to even *assess* the reliability of our current CA's. We just assume that they are trustworthy, and sometimes we are wrong. They don't actually check much before they issue a cert. Also, they don't really have a way of revoking their certs, so once they realize they've been spoofed they can't really correct it very easily -- the spoofing site can go on presenting its spoofed cert for a full year in most cases before it expires and if the client doesn't contact the CA's keyserver directly the client will never know. I agree with you that CA's should be 100 percent trustworthy. Pigs should be able to fly, too. Bear