[Cryptography] Other obvious issues being ignored?
Tom Mitchell
mitch at niftyegg.com
Fri Oct 23 22:06:07 EDT 2015
On Wed, Oct 21, 2015 at 6:19 AM, John Denker <jsd at av8n.com> wrote:
> On 10/19/2015 06:10 AM, Thierry Moreau wrote:
> >
> > What other "obvious" questions are we ignoring?
>
> This is a fascinating, important thread.
>
> Here's something to add to the list:
>
> *) The fact that my operating system shipped with something like
> 170 trusted "root" CAs is a problem. When the attack surface is
> that large, it cannot be defended. This is a profound, grotesque,
> obvious problem.
>
> It makes a mockery of the intended meaning of "root".
This tangle of "root" CAs is a problem.
It might be possible to graft a domain system on top.
i.e. It is possible for credit card processing systems to double check
the https CA and key. Visa might have one overview domain, Master Card
another... i.e. to process a Visa card from your site you must also
link your CA-record to a data structure at Visa. In this way all other
CA references to "your-domain" would be ignored by the payment system.
The devil is in the details.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151023/9479816d/attachment.html>
More information about the cryptography
mailing list