[Chapter-delegates] Isoc intitiative in trust and security and Compromized wildcard ssl certificates

[Marcin Cieslak]

On Tue, 6 Sep 2011, Eduard Tric wrote:

> Isoc should work with the Eu to propose and maintain a trusted list of
> CA's , then extend it globally. It's a registry , just like .org, and
> it's doable.

There is a big question here whether hierarchical trust model based
on CA's is something fit for the Internet era. There are numerous
drawbacks of the X.509 certification model - it is designed
for a different era of offline signature verification. 
I do not also see that hierarchical model works (i.e. delegation
seldomly happens except maybe for some corporate deployments).

In the view of proposed RPKI initiative I think it is worthwhile
to re-examine that model again and probably have a serious
look at the alternatives.

I don't think that pushing E.U. or anybody else to act may help.
European community has still problems understanding the failure
of the E.U.-wide electronic digital signature scheme.

Legally, DigiNotar created an E.U.-wide problem, since qualified
signatures from Holland have equal power in the whole Union.
But thanks to practically non-existing support for cross-country
validation there is little to worry about.

Marcin Cieślak
Internet Society Poland