Re: Comodo credibility crisis
- From: Mark Wooding <mdw@xxxxxxxxxxxxxxxx>
- Date: Sun, 28 Dec 2008 18:31:09 +0000 (UTC)
Peter Pearson <ppearson@xxxxxxxxxxxxxxx> wrote:
Comodo is a Certificate Authority whose root certificates have the
honor of being in Firefox's built-in certificate set. They seem to
have made The Big Mistake by lending their credibility to a reseller
who signed a cert for Eddy Nigg in the name of mozilla.com:
As far as I can see, the way that commercial certificate authorities
operate is fundamentally broken.
The CAs are paid by those who want to have their keys certified. The
/direct/ benefit for this service is to the reliers, who look at the
certificate and decide whether it's satisfactory evidence that the
public key it quotes really belongs to the entity claimed. The CA makes
money whether the certificate requests are honest or not.
There are second order effects which tend to keep the CAs in line, of
course. A bad CA (one that signs dishonest certificates) loses
reputation and may be withdrawn from the tables built into web browsers
and operating systems; and honest merchants would (presumably) rather be
certified by a good CA than a bad one, since it enhances their
credibility.
But there's still a basic conflict. I wish I knew how to repair this
system, but messing with micropayments to make the CAs more directly
answerable to the reliers doesn't seem sensible. Maybe informal systems
such as PGP's web-of-trust or SPKI/SDSI's everyone's-a-CA approach are
just more resilient.
But to me, the surprise is not that this has happened. It's that it
doesn't happen more often.
-- [mdw]
.
- Follow-Ups:
- Re: Comodo credibility crisis
- From: Peter Pearson
- Re: Comodo credibility crisis
- References:
- Comodo credibility crisis
- From: Peter Pearson
- Comodo credibility crisis
- Prev by Date: Dreams
- Next by Date: Re: OT: RSA Shameless TV Show Pseudo-Mini-Commercial
- Previous by thread: Re: Comodo credibility crisis
- Next by thread: Re: Comodo credibility crisis
- Index(es):
Relevant Pages
|
