Has any public CA ever had their certificate revoked?

Jerry Leichter leichter at lrw.com
Tue May 5 18:44:01 EDT 2009 

On May 5, 2009, at 1:17 PM, Paul Hoffman wrote:
> ...This leads to the question: if a CA in a trust anchor pile does  
> something wrong (terribly wrong, in this case) and fixes it, should  
> they be punished? If you say "yes", you should be ready to answer  
> "who will benefit from the punishment" and "in what way should the  
> CA be punished"....
The same question can be asked about *any* instance of criminal  
behavior, or of any other kind of behavior that is considered "bad  
enough" to be worthy of punishment.  To go to the extreme:  The victim  
is already dead, jailing the murderer won't bring him back - all you  
are doing is costing society directly (we have to pay the costs of  
keeping him in jail - quite expensive, actually) and indirectly (we  
won't have the fruits of his labor - like, say, new file systems).  We  
punish acts to send a message that certain things are unacceptable, to  
deter the actor and others, out of a sense of justice, and for other  
related reasons.  The beneficiaries are *everyone else*.

The strength of Tit For Tat as a strategy shows that motives like this  
tap into very basic properties of multi-party games.

As for what your punishment as a "bad CA" should be:  Realistically,  
in any industry based on trust, the major component of punishment  
should be loss of trust - which results in people refusing to do  
business with you any more, which will usually put you out of  
business.  In egregious cases, we send people to jail (where they can  
spend time with Bernie Madoff).  We also have mechanisms that aren't  
punishments but deal with the equities of the situation:  They try to  
right the wrongs.  So if I can show that your malfeasance as a CA led  
to my losing money, you have to compensate me.  There's a whole grey  
area in between that centers on the principle that you should not be  
allowed to profit from you ill-gotten gains - whether or not we can  
figure out how to return those gains to those who rightly should have  
them.

Theirry Moreau has already pointed out that political/economic reality  
here makes any meaningful punishment impossible.  That's way the CA  
industry can't ever really be a trust industry - you can't rely on a  
party who disclaims all responsibility, no matter what.
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list