[Chapter-delegates] Isoc intitiative in trust and security and Compromized wildcard ssl certificates
Franck Martin
franck at avonsys.com
Tue Sep 6 14:02:16 PDT 2011
Well, ICANN cannot shutdown bad registrars.
The rogue SSL are even worse, because there is no single authorithy like ICANN, and it all depends which Authorithy the makers of your browser "trust" for you.
Installing a root SSL fo shipping with IE, is a tedious process and cost some money. Not sure how it is done for Firefox...
I think we need some eyebals on certificate authorithies (CA), some kind of "consumer council" that gives a rating and put pressure on CA to remove rogue franchised outfits quickly.
----- Original Message -----
From: "Marcin Cieslak" <saper at saper.info>
To: "Eduard Tric" <eduard.tric at isoc.ro>
Cc: "Chapter Delegates" <chapter-delegates at elists.isoc.org>
Sent: Wednesday, 7 September, 2011 3:23:34 AM
Subject: Re: [Chapter-delegates] Isoc intitiative in trust and security and Compromized wildcard ssl certificates
On Tue, 6 Sep 2011, Eduard Tric wrote:
> Isoc should work with the Eu to propose and maintain a trusted list of
> CA's , then extend it globally. It's a registry , just like .org, and
> it's doable.
There is a big question here whether hierarchical trust model based
on CA's is something fit for the Internet era. There are numerous
drawbacks of the X.509 certification model - it is designed
for a different era of offline signature verification.
I do not also see that hierarchical model works (i.e. delegation
seldomly happens except maybe for some corporate deployments).
In the view of proposed RPKI initiative I think it is worthwhile
to re-examine that model again and probably have a serious
look at the alternatives.
I don't think that pushing E.U. or anybody else to act may help.
European community has still problems understanding the failure
of the E.U.-wide electronic digital signature scheme.
Legally, DigiNotar created an E.U.-wide problem, since qualified
signatures from Holland have equal power in the whole Union.
But thanks to practically non-existing support for cross-country
validation there is little to worry about.
Marcin Cieślak
Internet Society Poland
_______________________________________________
Chapter-delegates mailing list
Chapter-delegates at elists.isoc.org
https://elists.isoc.org/mailman/listinfo/chapter-delegates
More information about the Chapter-delegates
mailing list