igorette (igorette@bartle.doomicile.de)'s status on Friday, 21-Nov-2014 07:10:39 CET
-
Why a free automated certificate authority is not the solution
The answer is simple: It's a certificate authority.
The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.
It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser http://ur1.ca/iu8qn and they gave out the privilege to issue certificates for any domain to hundreds of other organizations http://ur1.ca/iu8qo Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.
Adding just yet another organization that can issue certificates for any domain only... http://ur1.ca/iu8qu