The state-level attack on the SSL CA security model

Valdis.Kletnieks at Valdis.Kletnieks at
Fri Mar 25 11:04:59 CDT 2011

On Fri, 25 Mar 2011 08:36:12 PDT, "Akyol, Bora A" said:
> Is it far fetched to supplement the existing system with a reputation based
>  model such as PGP? I apologize if this was discussed before.

That would be great, if you could ensure the following:

1) That Joe Sixpack actually knows enough somebodies who are trustable to sign
stuff. (If Joe doesn't know them, then it's not a web of trust, it's just the
same old CA).

2) That Joe Sixpack doesn't blindly sign stuff himself (I've had to on occasion
scrape unknown signatures off my PGP key on the keyservers, when people I've
never heard of before have signed my key "just because somebody they recognized
signed it").

The PGP model doesn't work for users who are used to clicking everything they
see, whether or not they really should...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list