[66385] in North American Network Operators' Group
Re: Verisign CRL single point of failure
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Fri Jan 9 08:20:52 2004
Date: Fri, 9 Jan 2004 13:20:18 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0401081846290.24186-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
> The consolidation of network power in a single company creates its own threat
> to the critical infrastructure when a single certificate expires instead of
> being randomly distributed among several different organizations.
I'm not sure whats involved in getting your own root certs added to browser/OS
distributions but theres nothing afaik that says Verisign is the sole company
providing this, presumably anyone else can agree with MS/whoever to have their
root certs added.. ?
On the idea of gapping to RFC1918 space, this is imho not a good solution,
either thay need to upgrade their platform to take the load eg multicast or if
they do want to blackhole traffic do it to their own IP space [worst case, do it
to an ip block that they dont route]
Steve
