On Sun, Nov 17, 2013 at 5:23 PM, Masataka Ohta <
mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
Randy Bush wrote:
i'll try once again,
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
It correctly states:
1,800 entities that are able to issue
certificates vouching for the identity of any website
that is one insecure entity is a lot more than enough.
Phillip Hallam-Baker wrote:
Their number of intermediate certs is more accurate. But they make
the same mistake of conflating an intermediate cert with control
of a CA.
Why do you insist on counting the number of Angels when just one
fallen one is a lot more than enough?
A CA a few key managing personnel of which are under US legislation
is a lot more than enough.
Masataka Ohta
The four most widely used browsers are all produced by US companies.
If you posit an attack against the US CAs you must also accept that the NSA
could make the same threats against the browser providers which would have
the same effect with far less risk of being caught and far fewer
consequences to being caught.
If the NSA was to coerce a CA into issuing a false certificate I would
imagine their lawyers would point out to the court that doing so would
threaten the stability of the entire Internet economy and that if
discovered the CA would lose its business.
The NSA would then be facing the downside of a multi-billion dollar lawsuit
in public court. The very last thing they want to risk is their
unconstitutional search orders being litigated by a plaintiff with standing.
--
Website: http://hallambaker.com/