The state-level attack on the SSL CA security model

Florian Weimer fweimer at
Fri Mar 25 04:21:22 CDT 2011

* Roland Dobbins:

> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>  Disclosure devalues information.

> I think this case is different, given the perception of the cert as
> a 'thing' to be bartered.

Private keys have been traded openly for years.  For instance, when
your browser tells you that a web site has been verified by "Equifax"
(exact phrasing in the UI may vary), it's just not true.  Equifax has
sold its private key to someone else long ago, and chances are that
the key material has changed hands a couple of times since.

I can't see how a practice that is completely acceptable at the root
certificate level is a danger so significant that state-secret-like
treatment is called for once end-user certificates are involved.

Florian Weimer                <fweimer at>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the NANOG mailing list