The state-level attack on the SSL CA security model

Steven Bellovin smb at
Sat Mar 26 12:48:27 CDT 2011

On Mar 26, 2011, at 12:21 12AM, Franck Martin wrote:

> On 3/26/11 15:36 , "Joe Sniderman" <joseph.sniderman at> wrote:
>> On 03/25/2011 11:12 PM, Steven Bellovin wrote:
>>> On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
>>>> One could argue that you could try something like the facebook
>>>> model (or facebook itself). I can see it coming. Facebook web of
>>>> trust app ;-)
>>> Except, of course, for the fact that people tend to have hundreds of
>>> "friends", many of whom they don't know at all, and who achieved that
>>> status simply by asking.  You need a much stronger notion of
>>> interaction, to say nothing of what the malware in your "friends'"
>>> computers are doing to simulate such interaction.
>> Then again there are all the "friend us for a chance to win $prize"
>> gimmicks... not a far jump to "friend us, _with trust bits enabled_ for
>> a chance to win $prize"
>> Yeah sounds like a wonderful idea. :P
> Wasn't PGP based on a web of trust too?
Yes -- see Valdis' posting on that:

		--Steve Bellovin,

More information about the NANOG mailing list