On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said:
To pop up the stack a bit it's the fact that an organization willing to behave in that fashion was in my list of CA certs in the first place. Yes they're blackballed now, better late than never I suppose. What does that say about the potential for other CAs to behave in such a fashion?
I'm sure at least one of the other 250-odd certificates from 100-ish CA's trusted by most browsers now are actually trustworthy. There is no evidence at all that the average CA is any less trustworthy than the average DNS registrar. However, this isn't as big a problem as one might think - the *only* thing that an SSL sert gives you is "you reached the host your browser tried to reach". It does *not* validate "the host you intended to reach", or "whether you should trust this host with your data", or any of a long set of interesting security issues. And that one question - "did you reach the host your browser tried to reach" doesn't really mean much unless you have DNS and routing security in place as well. After all, if the IP you get for www.my-bank.com is incorrect, or the route has been hijacked, what the cert says is pretty meaningless. Considering that we seem to muddle along just fine with a DNS that doesn't really do DNSSEC yet(*), and a lot of black and grey hat registrars out there, and no real BGP security either, maybe it isn't the "sky is falling" scenario that a lot of people want to make it. Or maybe we should all be even more worried. ;) (*) Has anybody actually enabled "only accept DNSSEC-signed A records" on an end user system and left it enabled for more than a day before giving up in disgust? ;)