

The Tor Projects Response to their Certs being forged - mike-cardwell
https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it

======
larelli
For me, this issue again shows the devastating state in which the whole SSL
system is in. My browser (and therefore myself) has to trust unknown agencies
with totally intransparent policies. The current state of google and mozilla
releasing patches and fixes to the already broken system makes it only look
worse to me.

~~~
kahawe
> _My browser (and therefore myself) has to trust unknown agencies with
> totally intransparent policies._

I completely agree with your message but I think this part is actually even
worse!

Theoretically you could manage all the root certs yourself and revoke and
delete whichever you want but... as the average user you get a system shoved
down your throat that has clearly reached critical mass (no Iran puns
intended) and you basically willing-fully trust it because you have learned
Firefox is awesome and safe and that little golden padlock tells you "hey,
it's ok, relax buddy!" and even just a few years back most but the very versed
encryption geeks could probably care less about WHAT exactly was going on in
the mess that are root CAs and were happy enough there was something SSL-y
going on.

~~~
pasbesoin
Opera just updated (to 11.51). I opened up the cert management dialog in it
and was impressed at the, by comparison, relatively limited number of root
certificates and the apparent -- based on associated names -- nature of these.

(And no, DigiNotar is not currently in their set.)

------
mike-cardwell
This isn't just an article about their opinion on the DigiNotar debacle.
Multiple Tor Project certs _were_ forged, and they've taken several steps to
reduce the likelyhood of this being a problem in future.

------
nodata
Rather than beat a dead horse and rehash all of the numerous problems with SSL
certificates, does anyone have a table of real workable alternatives to SSL
somewhere?

~~~
andreasvc
Convergence, DNSSSEC, or web of trust systems like PGP.

------
nodata
DNSSEC + TXT keys please!

