[Discuss] root CA bloat

[bogstad at pobox.com (Bill Bogstad)]

On Sun, Nov 23, 2014 at 1:15 AM, Richard Pieri <richard.pieri at gmail.com> wrote:
> On 11/22/2014 4:15 PM, Bill Bogstad wrote:
>>
>> I already mentioned part of this in my first note.  They would have to
>> do it by changing the nameserver entries for the microsoft.com domain
>> at the .com DNS servers which I'm pretty sure they don't run.
>
>
> MarkMonitor owns the microsoft.com and msft.net domains along with a slew of
> variations of those domain names. As owner of the domain, MarkMonitor could
> have VeriSign change the top level registration. It would not be bad data
> because MarkMonitor is the owner of the domain.
>
> Would it be visible? Sure. Any change in a public space is visible. Would
> MarkMonitor's customers care? Absolutely. MM would be doing what it is being
> paid to do: protect its customers' trademarks and copyrights without
> resorting to raids like the NoIP raid. Would the world notice? Probably not.
> MarkMonitor has been doing it for going on 15 years.

If they did something that Microsoft hadn't requested then I'm pretty
sure somebody would both notice AND care.  This is all in the context
of attacking the security of Internet communications via a MITM
attack.   If Microsoft (one of the two parties communicating
in this example) authorized it, then it isn't MITM.   Whether it
ishttp://en.wikipedia.org/wiki/Off-the-Record_Messaging done via
Microsoft directly disclosing my communications or via allowing some
other third party agent to do so is not really relevant to me.   As
far as I can tell that is the "risk" that you are now describing.  The
"risk" is in every talking to them at all and I don't see how
technology can really solve that.   Even Off the Record Messaging
(http://en.wikipedia.org/wiki/Off-the-Record_Messaging) doesn't keep
the other party from disclosing the contents.   It just stops them
from proving that I'm the person who said it.

Bill Bogstad