CA safety (was: Microsoft supporting tyrants?)

Werner Koch wk at
Thu Mar 31 09:49:56 UTC 2011

On Thu, 31 Mar 2011 10:59, reiter at said:

> Maybe it is an idea to implement further restrictions:
> a) only trust specific subca
> b) only give a range of TOP level domains to a root or subca

Yet another X.509 fix.  They are trying this for 20 years or so.

All what X.509 does these days is to put something(!) different into the
never existing X.500 structure.  The idea of X.500 was to have a global
directory to list all entities which will have a need to be listed.
>From a pure technical point this could have worked.  However the
important part has been left out: For a technical imposed structure we
need to have a human controlled organizational structure to set it up.
Now human interactions are by some orders more complex than various
ASN.1 encodings.  How could that ever have worked.

The WoT (Web of Trust) idea got it right: It started by looking how
humans organize them self and applied a technical structure to support
this.  This is a better approach.  I still don't believe that it will
scale to something like the web we have today.  The prerequisites
changed since the BBS time and thus the WoT won't work in today's highly
interlinked web space.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Discussion mailing list