On Wed, Jan 2, 2013 at 8:39 PM, Christopher Morrow <christopher.morrow@gmail.com> wrote:
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow <christopher.morrow@gmail.com> wrote:
On Jan 2, 2013 7:36 PM, "William Herrin" <bill@herrin.us> wrote:
A "reputable" SSL signer would have to get outed just once issuing a government a resigning cert and they'd be kicked out of all the browsers. They'd be awfully easy to catch.
Oh! You mean like cyber trust and etilisat? Right... That's working just perfectly...
should have included this reference link: <https://www.eff.org/deeplinks/2010/08/open-letter-verizon>
Hi Christopher, That was nearly 30 months ago. At the time there were no reports of fake Etilisat certs, merely concern that the UAE's regulatory environment was "institutionally hostile to the existence and use of secure cryptosystems." Has the EFF's SSL Observatory project detected even one case of a fake certificate under Etilisat's trust chain since then? There's a reason Etilisat's cert is still valid and it isn't Honest Achmed's. https://bugzilla.mozilla.org/show_bug.cgi?id=647959 Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004