Re: [TLS] [certid] fyi: paper on compelled, certificate creation attack and applicable appliance

ArkanoiD <> Thu, 25 March 2010 04:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B7D693A6A79; Wed, 24 Mar 2010 21:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.235
X-Spam-Level: ***
X-Spam-Status: No, score=3.235 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WAlkFGayQ5lG; Wed, 24 Mar 2010 21:13:46 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 748E93A6A2D; Wed, 24 Mar 2010 21:13:45 -0700 (PDT)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id o2P4E3q9032301; Thu, 25 Mar 2010 07:14:03 +0300 (MSK)
Received: (from ark@localhost) by (8.14.3/8.14.3/Submit) id o2P4E3uN021223; Thu, 25 Mar 2010 07:14:03 +0300 (MSK)
X-Authentication-Warning: ark set sender to using -f
Date: Thu, 25 Mar 2010 07:14:02 +0300
From: ArkanoiD <>
To: =JeffH <>
Message-ID: <>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Subject: Re: [TLS] [certid] fyi: paper on compelled, certificate creation attack and applicable appliance
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Mar 2010 04:13:48 -0000

Well, that's quite obvious that PKI in the "big internet" as we know it is
just a card house: if *ANY* CA we trust get compromised or mailicious, it
is all flawed. There is nothing we can do besides examining chain of trust
manually and watching for certificate changes. The TOFU technology described there is quite obvious, i always wondered why ssh has it and browsers do not.

It is completely out of the scope of the certid list, though :-(