Security by asking the drunk whether he's drunk

Peter Gutmann pgut001 at
Tue Dec 30 19:57:47 EST 2008

Sidney Markowitz <sidney at> writes:

>So which is worse, that anyone (allegedly) can get a cert from Comodo for any
>domain without any proof of identity or verification of control of the domain,
>or that CA root certs that use MD5 for their hash are still in use and have
>now been cracked?

... or the fact that one in ten signed Windows binaries are comercial CA-
certified signed malware, or that we have a multibillion dollar global
phishing industry built around the failure of SSL certs to do what they were
supposed to?

On this, the final day of 2008, the 30th anniversary of certificates and the
20th anniversary of X.509, I declare commercial PKI...

... failed [0][1].

It's had thirty years, let's get over it and move on to something that
actually has a hope of working.

Peter (who doesn't see much chance of that happening, unfortunately).

[0] Except to people holding stock in certificate manufacturers, who aren't
    doing so badly.
[1] Or at least "obviously failed", as opposed to the earlier "failed but we
    can pretend there isn't a problem".

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list