On Sun, Nov 17, 2013 at 5:23 PM, Masataka Ohta <mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Randy Bush wrote:
> i'll try once again,
> http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
It correctly states:
1,800 entities that are able to issue
certificates vouching for the identity of any website
that is one insecure entity is a lot more than enough.
Phillip Hallam-Baker wrote:
> Their number of intermediate certs is more accurate. But they make
> the same mistake of conflating an intermediate cert with control
> of a CA.
Why do you insist on counting the number of Angels when just one
fallen one is a lot more than enough?
A CA a few key managing personnel of which are under US legislation
Masataka Ohtais a lot more than enough.
If you posit an attack against the US CAs you must also accept that the NSA could make the same threats against the browser providers which would have the same effect with far less risk of being caught and far fewer consequences to being caught.
If the NSA was to coerce a CA into issuing a false certificate I would imagine their lawyers would point out to the court that doing so would threaten the stability of the entire Internet economy and that if discovered the CA would lose its business.
The NSA would then be facing the downside of a multi-billion dollar lawsuit in public court. The very last thing they want to risk is their unconstitutional search orders being litigated by a plaintiff with standing.