CDR: RE: Public Key Infrastructure: An Artifact...
Ray Dillinger
bear at sonic.net
Mon Nov 20 14:32:47 PST 2000
On Mon, 20 Nov 2000 cgripp at axcelerant.com wrote:
>So what is the acceptable threshold of errors? 1 in a 1000000? What if
>that 1 is the invalid certificate that allows your bank account to be
>compromised. CA's should either be 100% or 0% trustworthy. I do agree that
>there needs to be a protocol to allow CA's to compare databases of
>certificates for mismatches etc that might reveal an attempt at publishing a
>fraudulent certificate.
>
>Gripp
For a CA, I'd say 1 in 10^7 requests, tops, would be an
acceptable rate of getting spoofed. But if it were for a
transaction I was really paranoid about, I might require
an error rate of 1 in 10^10 or less. Modulo standard
statistical methods regarding sample sizes, of course --
a new CA that's never been spoofed but has only served
10^8 requests, should be regarded as a hell of a lot less
reliable than a cert that's gotten spoofed 1000 times out
of 10^11 requests, just because of sample sizes and number
of significant figures involved.
But my point is we don't even have a protocol for swapping
and updating information about CA's reliability rates, so
there's no way to even *assess* the reliability of our current
CA's. We just assume that they are trustworthy, and sometimes
we are wrong. They don't actually check much before they issue
a cert. Also, they don't really have a way of revoking their
certs, so once they realize they've been spoofed they can't
really correct it very easily -- the spoofing site can go on
presenting its spoofed cert for a full year in most cases before
it expires and if the client doesn't contact the CA's keyserver
directly the client will never know.
I agree with you that CA's should be 100 percent trustworthy.
Pigs should be able to fly, too.
Bear
More information about the Testlist
mailing list