[Cryptography] hard to trust all those root CAs
Jerry Leichter
leichter at lrw.com
Tue Jul 22 18:07:20 EDT 2014
On Jul 22, 2014, at 11:04 AM, Sandy Harris <sandyinchina at gmail.com> wrote:
> What about restricting the Chinese CA to signing certs in .cn and imposing
> similar restrictions on other CAs?
So who gets to sign certs in .com? Or, more amusingly, in some of the new vanity domains like .expert?
If you take the point of view that if you want to be a CA for .foo, you should go out and get yourself an address in .foo - in short order, you'll have not 150 CA's but (almost 150) * (number of TLD's). And the Domain Industrial Complex - all the registrars - will pocket a nice bit of change.
(There have been *practical* efforts to flag the same kind of thing. I forget the name, but there was a plugin that would warn you of unexpected changes in location of the CA. So if some US domain moved from one US CA to another - no big deal. But if suddenly it moves to a Chinese domain - alert the user.)
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140722/6ad72c99/attachment.bin>
More information about the cryptography
mailing list