Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote: > I think that is a better approach actually. The CC TLDs are in effect > members of a bridge CA and ICANN is merely the bridge administrator. It is an interesting way to say it, and put that way, I like it. One activity that I believe is an NSA attack on good crypto is the whole Certificate Signing Policy thing. Nobody has a clue what it means, or how the computer systems are supposed to interpret it anyway, but it scares the lawyers, and so they would rather having nothing. However, it the root of the trust in country X is the government of country X, then government can essentially internalize/nationalize all the liability associated with trusting them. It would be much like governments do with nuclear power: it only works out because the governments provide the insurance in the form of legislation... mcr> Better they do this using good crypto, than that they do this by mcr> trying to subvert the (US-controlled) crypto. > Its not all US controlled, you can use GOST... That's not what I meant. I didn't mean that the algorithms will be subverted, I meant that the trust paths will be subverted. Whether this is by legislating filters against DNS(sec) that ISPs have to implement, or having an official mitm SSL cert that all desktops must trust, or just blocking port-443. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works
Attachment:
pgpCTObDHZOs2.pgp
Description: PGP signature