nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

From: Mike Jones <mike () mikejones in>
Date: Mon, 12 Sep 2011 19:23:37 +0100
On 12 September 2011 18:39, Robert Bonomi <bonomi () mail r-bonomi com> wrote:

Seriously, about the only way I see to ameliorate this kind of problem is
for people to use self-signed certificates that are then authenticated
by _multiple_ 'trust anchors'.  If the end-user world raises warnings
for a certificate 'authenticated' by say, less than five separate entities.
then the compomise of any _single_ anchor is of pretty much 'no' value.
Even better, let the user set the 'paranoia' level -- how many different
'trusted' authorities have to have authenticated the self-signed certificate
before the user 'really trusts' it.


So if I want my small website to support encryption, I now have to pay
5 companies, and hope that all my users have those 5 CAs in their
browser? Much better to use the existing DNS infrastructure (that all
5 of them would likely be using for their validation anyway), and not
have to pay anyone anything.

- Mike
Previous By Date Next
Previous By Thread Next

Current thread: