[Cryptography] Toxic Combination

Dave Howe davehowe.pentesting at gmail.com
Tue Dec 9 04:22:20 EST 2014


On 08/12/2014 19:48, Anne & Lynn Wheeler wrote:
> Older observations. In the mid-to-late 90s, the CA industry was floating
> a $20B/annum business case around wallstreet ... supposedly the
> financial industry
> would front $100/customer/annum individual digital certificates. That
> didn't happen,
> but they were heavily lobbying gov. to mandate $100/public/annum
> digital certificate.
>
> We had gone into large financial institution that had been con'ed into
> doing
> a CA-based online financial infrastructure. They had spent $50M on
> pilot ... but
> when they told the board that the CA was asking that they send them
> 14M account
> records which the CA would convert to 14M digital certificates and
> only charge
> $1.4B ... the board shut the whole operation down.
You would think they would go down the path of setting up their own CAs
for that - cheaper to set up a working group between them, get a HSM
based root, and issue signing certs to member institutions....



More information about the cryptography mailing list