[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-08 08:55:48

--On Thursday, January 08, 2009 08:23:55 PM +1300 Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> wrote:

Jeffrey Hutzelman <jhutz(_at_)cmu(_dot_)edu> writes:

Perhaps a solution to this is a new model.

A good start...

which for a fee provides

... and it just failed right there.

Perhaps, but it's fairly well essential. That fee is the basis for the trust anchor provider's contractual obligation to the end user. Drop that, and the whole thing falls apart.

Note that charging a fee for this service is not absurd. Lots of people (consumers) pay fees for up-to-date lists of virus signatures, phishing sites, spam-blocking rules, and so on.

-- Jeff