Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com> wrote:
> I think that is a better approach actually. The CC TLDs are in effect
> members of a bridge CA and ICANN is merely the bridge administrator.
It is an interesting way to say it, and put that way, I like it.
One activity that I believe is an NSA attack on good crypto is the whole
Certificate Signing Policy thing. Nobody has a clue what it means, or how
the computer systems are supposed to interpret it anyway, but it scares the
lawyers, and so they would rather having nothing.
However, it the root of the trust in country X is the government of country
X, then government can essentially internalize/nationalize all the liability
associated with trusting them. It would be much like governments do with
nuclear power: it only works out because the governments provide the
insurance in the form of legislation...
mcr> Better they do this using good crypto, than that they do this by
mcr> trying to subvert the (US-controlled) crypto.
> Its not all US controlled, you can use GOST...
That's not what I meant.
I didn't mean that the algorithms will be subverted, I meant that the trust
paths will be subverted.
Whether this is by legislating filters against DNS(sec) that ISPs have to
implement, or having an official mitm SSL cert that all desktops must trust,
or just blocking port-443.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr(_at_)sandelman(_dot_)ca http://www.sandelman.ca/ | ruby on
rails [
--
Michael Richardson <mcr+IETF(_at_)sandelman(_dot_)ca>, Sandelman Software Works
pgpmViNCehrr8.pgp
Description: PGP signature