[144476] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Mike Jones)
Mon Sep 12 14:25:37 2011
In-Reply-To: <201109121739.p8CHdovQ002359@mail.r-bonomi.com>
From: Mike Jones <mike@mikejones.in>
Date: Mon, 12 Sep 2011 19:23:37 +0100
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 12 September 2011 18:39, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote:
> Seriously, about the only way I see to ameliorate this kind of problem is
> for people to use self-signed certificates that are then authenticated
> by _multiple_ 'trust anchors'. =A0If the end-user world raises warnings
> for a certificate 'authenticated' by say, less than five separate entitie=
s.
> then the compomise of any _single_ anchor is of pretty much 'no' value.
> Even better, let the user set the 'paranoia' level -- how many different
> 'trusted' authorities have to have authenticated the self-signed certific=
ate
> before the user 'really trusts' it.
So if I want my small website to support encryption, I now have to pay
5 companies, and hope that all my users have those 5 CAs in their
browser? Much better to use the existing DNS infrastructure (that all
5 of them would likely be using for their validation anyway), and not
have to pay anyone anything.
- Mike
