Reply to post:

Fuming Google tears Symantec a new one over rogue SSL certs

Michael Wojcik Silver badge

The concept of trusting some company full of incompetent pricks to accurately and securely provide the ID credentials for anyone else is a bit of an oversight that's now showing the true nature of how flawed it really is.

Particularly when the economics strongly favor sloppy behavior. Actually checking identities before signing certificates, for example, is a cost with no obvious return for the CA, and the costs of not doing so are almost all externalities.

The flat-tree hierarchy we currently have for the public X.509 PKI certainly doesn't help either.

Of course, people have proposed various other PKI architectures, even using the (dreadful) X.509 certificates. RFC 4158 describes mesh and cross-certified structures, among other options. But there's been little work to try to build them, and if you want to use generally-available software with them you have your work cut out for you. (There was a discussion of using a mesh PKI on the OpenSSL-Users list some time back, and the conclusion was "roll your own verification". Now, sometimes that's necessary anyway, but it certainly doesn't help broaden adoption.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019