CDR: RE: Public Key Infrastructure: An Artifact...
cgripp at axcelerant.com
cgripp at axcelerant.com
Mon Nov 20 13:06:09 PST 2000
So what is the acceptable threshold of errors? 1 in a 1000000? What if
that 1 is the invalid certificate that allows your bank account to be
compromised. CA's should either be 100% or 0% trustworthy. I do agree that
there needs to be a protocol to allow CA's to compare databases of
certificates for mismatches etc that might reveal an attempt at publishing a
fraudulent certificate.
Gripp
-----Original Message-----
From: owner-cryptography at c2.net [mailto:owner-cryptography at c2.net]On
Behalf Of Ray Dillinger
Sent: Monday, November 20, 2000 11:41 AM
Cc: cryptography at c2.net; cypherpunks at cyberpass.net
Subject: Re: Public Key Infrastructure: An Artifact...
On Mon, 20 Nov 2000 Lynn.Wheeler at firstdata.com wrote:
>as pure asside ... any SSL server certificate signed by any CA
> in my browswer's CA list is acceptable.
>
>my broswer makes no distinction on which CA signed what ...
> and/or even what they signed. If I get a certificate signed
> by any CA in my browswers list that says foo.bar ...
I think that one of the major problems with PKI is the "binary-ness"
of it. Everything gets shoveled into "acceptable" or "not acceptable"
at the end of the process, but I don't think it's appropriate in
trust decisions to have stuff shoveled into "acceptable" and "not
acceptable" piles at the very beginning.
We can't give a numeric score to the degree of trust we place in a
CA. There's no protocol for exchanging information about breaches
in trust regarding particular certs, so we can't have a policy for
auto-updating our trust model. If I get a spoofed cert from a CA,
and notice it, I ought to be able to downgrade the trust in that CA
- without necessarily removing ALL trust in that CA. Furthermore,
my system ought to pass along the news about the spoofed cert, along
with the signature that proves it came from that CA, so that other
systems can do the same.
"Gossip" is really the only way a robust trust model can work.
systems have to at least be ABLE to notify and inform one another
when there's a breach of trust involving a CA, and different
people have to be able to set the threshold for trust at different
points.
Bear
More information about the cypherpunks-legacy
mailing list