[139032] in North American Network Operators' Group
RE: The state-level attack on the SSL CA security model
daemon@ATHENA.MIT.EDU (Akyol, Bora A)
Fri Mar 25 12:20:38 2011
From: "Akyol, Bora A" <bora@pnl.gov>
To: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
Date: Fri, 25 Mar 2011 09:19:52 -0700
In-Reply-To: <21155.1301069099@localhost>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
One could argue that you could try something like the facebook model (or fa=
cebook itself). I can see it coming.
Facebook web of trust app ;-)
=20
-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]=20
Sent: Friday, March 25, 2011 9:05 AM
To: Akyol, Bora A
Cc: Dobbins, Roland; nanog group
Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
> Is it far fetched to supplement the existing system with a reputation=20
> based model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following:
1) That Joe Sixpack actually knows enough somebodies who are trustable to s=
ign stuff. (If Joe doesn't know them, then it's not a web of trust, it's ju=
st the same old CA).
2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occa=
sion scrape unknown signatures off my PGP key on the keyservers, when peopl=
e I've never heard of before have signed my key "just because somebody they=
recognized signed it").
The PGP model doesn't work for users who are used to clicking everything th=
ey see, whether or not they really should...
