

EFF Data Shows Five CAs Compromised Since June - TheloniusPhunk
http://threatpost.com/en_us/blogs/eff-data-shows-five-cas-compromised-june-102711

======
jbyers
Original article: <https://www.eff.org/deeplinks/2011/10/how-secure-https-
today>

------
inopinatus
I don't that we can fix the burgeoning sprawl of dodgy CAs - that horse has
already bolted. Moxie Marlinspike's Convergence framework might be a solution
but it needs critical mass.

We can also create a second validation of every certificate via DNSSEC, which
means a counterfeit cert becomes detectable by failing a positive check. This
is better and easier than the negative OCSP revocation checking that we
currently do, or at least it will be when everyone's recursive resolver
supports DNSSEC. Again, this needs critical mass.

Unfortunately the IETF has two groups (DANE and PKIX) both working on this in
parallel and there is not yet clarity over which DNS record to use or how
(TLSA or CAA). However, the DANE group has just published their scope RFC
(<http://www.rfc-editor.org/rfc/rfc6394.txt>). So there is progress.

