[Cryptography] hard to trust all those root CAs

[Tom Mitchell]

On Sun, Jul 20, 2014 at 11:12 PM, Martin Rublik <martin.rublik at gmail.com>
wrote:

> On 20. 7. 2014 7:45, grarpamp wrote:
> ...
> > The mozilla bundle includes about 150. It would be nice if
>


This is not going to get better....

I think the only way to live with this is to
cache many certs and also cache many DNS results.

One additional escape lurks in CSS and friends.
Much web content (not just HTML) is dispersed.
The most common are links in a page to advertising
that also have their own links to other good and bad
services.   It is not just turtles all the way down --
it is ugly snapping turtles.....

It seems to me that it is easy for me to cache and check the first
level but it also seems necessary for that same first https(URI)
to also have a hash or cache for all the links and links to links...
that it triggers.

Troubles can be inserted at any level and only at the first level
is it possible to see much of the content based risks.

Dynamic content is difficult but a registered list at some clickservice.con
could be scraped for scams.... by the big boys or by services.

JavaScript might be up to the task....

One issue is very short TTL lives on dynamic DNS but each
DNS record could contain a signed 'cookie' as a TXT record.











-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140721/96718583/attachment.html>