Access to www.gnupg.org only via TLS

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Apr 30 23:48:30 CEST 2014


On 04/30/2014 03:40 PM, Faramir wrote:
> It is like providing free airplane tickets, and then charging for the
> parachute.

I like this analogy, but it only covers one part of the CA's
relationships -- the relationship with the subscriber.  But the CA also
has other relationships, including its relationship with the so-called
relying parties.

Another way to put it is: the CA's job, in the bigger picture of the
X.509 ecosystem, is to say *only true things*.  Anywhere that a CA says
untrue things, it is failing its job, and relying parties cannot rely on
it.  A CA isn't obliged to say *all* true things, but it is obliged to
say *only* true things.

So a CA who learns that a statement that it has made is untrue *should*
revoke that statement as soon as it finds out (oh, i wish our revocation
infrastructure actually worked properly too, but that's a different
rant).  The fact that a CA knows that one of its outstanding statements
is untrue, but it will not revoke it until someone else has paid it to
do so should be deeply disturbing for anyone who is a relying party on
that CA.

(and since Startcom is pre-loaded in almost every major trust store,
that means that everyone is a relying party on Startcom by default)

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140430/728979c8/attachment.sig>


More information about the Gnupg-users mailing list