[Cryptography] Cue the blamestorming
Phillip Hallam-Baker
hallam at gmail.com
Thu Apr 17 13:10:02 EDT 2014
There but for the grace of ...
Remember DigiNotar and the proposals made then for what to do to the
next CA to screw up? The plot writers for Game of Thrones could have
got some ideas there.
Hasn't taken long for people to start in on the same type of cheap
talk on OpenSSL.
We have some big problems here. And the fact that the US govt. which
we thought was making a significant contribution to COMSEC through the
NSA turns out to have spent less than 0.5% of its budget on COMSEC
standards related activities and most of that went into sabotage.
So I have been looking into some structural alternatives. We need
resources. But more importantly we need to know how to apply them.
Right now I have no doubt that we can work out a solution for OpenSSL.
But that is not the only underfunded software project that has a major
impact on a critical resource.
We have to look at all the points where we might be vulnerable and fix them.
We also need to bring government resources to bear because there are
some things that are really hard to achieve in either a commercial or
a volunteer model.
The WebPKI was designed to support multiple CAs for a reason. Having
multiple CAs does create an incentive for each to keep their
competitors honest. So now we play that game with governments. We
don't need 50 but we need more than the US or the US plus UK and
Canada.
More information about the cryptography
mailing list