[144455] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Gregory Edigarov)
Mon Sep 12 11:05:56 2011
Date: Mon, 12 Sep 2011 18:04:59 +0300
From: Gregory Edigarov <greg@bestnet.kharkov.ua>
To: nanog@nanog.org
In-Reply-To: <4E6E1D05.3050902@mtcc.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 12 Sep 2011 07:53:57 -0700
Michael Thomas <mike@mtcc.com> wrote:
> Randy Bush wrote:
> >> But Gregory is right, you cannot really trust anybody completely.
> >> Even the larger and more respectable commercial organisations will
> >> be unable to resist <insert intel organisation here> when they ask
> >> for dodgy certs so they can intercept something..
> >>
> >> No, as soon as you have somebody who is not yourself in control
> >> without any third party verifiably independent oversight then you
> >> have to carefully define what you mean by trust.
> >
> > i am having trouble with all this. i am supposed to only trust
> > myself to identify citibank's web site? and what to i smoke to get
> > that knowledge? let's get real here.
> >
> > with dane, i trust whoever runs dns for citibank to identify the
> > cert for citibank. this seems much more reasonable than other
> > approaches, though i admit to not having dived deeply into them all.
>
> It seems to me that this depends a lot on how much you can tolerate
> single points of failure. The current de-trusting is certainly going
> to cause trouble for whoever used that CA, but the internet didn't
> roll over and die either. If the root DNS keys were compromised in an
> all DNS rooted world... unhappiness would ensue in great volume.
>
> Mike, poison and choices...
>
let me state clearly what am I writing about:
ok, suppose, there is a site on the internet, that has a certificate
issued by one of the major CAs. how could one know, that certificate
wasn't issued to forged identity?
