[Discuss] root CA bloat
Richard Pieri
richard.pieri at gmail.com
Sun Nov 23 12:53:25 EST 2014
On 11/23/2014 11:13 AM, Bill Bogstad wrote:
> Almost... Microsoft didn't authorize MarkMonitor to monitor their
> communications (as far as I know). They authorized them to provide
The concern isn't what MM is doing at the moment; it's what MM is
capable of doing being a trusted CA and a trusted DNS registrar and the
owner of record for Microsoft's domains. Don't focus exclusively on
Microsoft here. All of the big data and social media players are using
MarkMonitor's and CSC's services.
> security of all CAs, top level DNS servers, etc. The problems with
> CA delegation seem much more significant then this one though. Until
> we get a solution to that problem, I'm not going to worry about this
> one.
Like I wrote before, CA delegation cannot be fixed because it isn't
broken. It's operating exactly the way it was designed to operate. If
you want to eliminate the problem with the lack of verifiable trust in
the CAs and their delegates then you have to throw out X.509 PKI and
replace it with something that has verifiable trust mechanisms.
--
Rich P.
More information about the Discuss
mailing list