[14259] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: End of the line for Ireland's dotcom star

daemon@ATHENA.MIT.EDU (Anonymous via the Cypherpunks Tong)
Wed Sep 24 11:53:40 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Anonymous via the Cypherpunks Tonga Remailer <nobody@cypherpunks.to>
To: cryptography@metzdowd.com
Date: Wed, 24 Sep 2003 09:54:49 +0200 (CEST)

Peter Gutmann writes:

> Is it really that big a deal though?  You're only ever as secure as the
> *least secure* of the 100+ CAs automatically trusted by MSIE/CryptoAPI
> and Mozilla, and I suspect that a number of those (ones with 512-bit keys
> or moribund web sites indicating that the owner has disappeared) are much
> more of a risk than the GTE/Baltimore/beTRUSTed/whoever-will-follow-them
> succession.

Why is it that none of those 100-odd companies with keys in the browsers
are doing anything with them?  Verisign has such a central role in
the infrastructure, but any one of those other companies could compete.
Why isn't anyone undercutting Verisign's prices?  Look what happened with
Thawte when it adopted this strategy: Mark Shuttleworth got to visit Mir!
Maybe that was a one shot deal, but clearly these keys are not being
utilized up to their economic potential.

Is there some behind the scenes coercion?  Contractual limitations?
Will Microsoft pull the keys if someone tries to compete with Verisign?
What's the deal?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post