by Seth Schoen
The most common way of using SSL/TLS encryption relies on a public-key infrastructure that puts near-absolute trust in a large number of entities around the world, any one of which could accidentally or deliberately empower anyone in between us and our communication partners to impersonate any site or service and spy on all of our communications. We've seen that these certificate authorities can make mistakes. CA mistakes, or collaboration with attackers, can expose us to undetectable man-in-the-middle attacks, so we need new mechanisms to meaningfully double-check that they're doing the right thing.
I will discuss a whitepaper and research collaboration that are exploring the available sources of information that could help address this problem.
1st–4th June 2010