> What you're trying to do is a "who is watching the watchers" kind thing and > as you described, you do this by adding another central piece of machinery to > the picture where another central piece of machinery is easily manipulated > into rogue actions. I don't see how this would make anything better. I think it's much better. Every existing CA including CNNIC made a promise to comply to the universal PKI trust policy, we just need a scheme to enforce their promise. It's quite easy for a single person to breech the trust, but it's extremely harder for 2 independent organizations to operate a conspiracy of breach of trust. It's like people shouldn't trust a self made financial report of a public company, but if it's reviewed by an independent auditor, it's considered trustworthy enough for serious usage. Of course there may be exceptions, but cryptography itself is not absolute anyway.
> If you're talking about a country level PKI (probably supported by law) and > the need to bring some bad guys operating in that system to justice under the > same law environment.... This should be fixed on that local level, not as an > addon software piece. If an Auditing scheme is not implemented, almost all bad guys won't be detected, so they be laughing all the way to the bank. > The same problem haunts OCSP or all central services. The proposed scheme reveal much less information than CRL and OCSP, only reveal the first access instead of every access, so as long as OCSP exists, the proposed "Auditing scheme" is not a decent privacy threat. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
