[conspire] How to break the whole Web PKI framework, using PS3s
rick at linuxmafia.com
Wed Dec 31 03:43:07 PST 2008
Quoting Edward Cherlin (echerlin at gmail.com):
> Vernor Vinge, in Rainbows End, wrote about a government agent issuing
> bulk revocations against a major Certificate Authority, with ensuing
> global disruption. This now appears to be within the reach of most
The real long-term lesson, honestly, is that it's of questionable wisdom
to trust an SSL certificate (Web, mail, whatever) for no better reason
than your being told by your software that it believes some CA somewhere
in the world signed it. This has always been the case. It's just that
MD5 signatures (of those certs and of anything else) are now just a wee
bit more untrustworthy than they already were.
I _still_ don't like PKIs, very much, unless perchance I'm running 'em.
Too much "trust us, we're your guarantor of identity" jiggery-pokery.
More information about the conspire