Do the SSL Watchmen Watch Themselves?

StrongestLink writes "In an intriguing twist on the recent Comodo CA vulnerability discussed here last week, security researcher Mike Zusman today revealed that three days prior to StartCom's disclosure of a flaw in a Comodo reseller's registration process, he discovered and disclosed an authentication bypass flaw to StartCom in their own registration process that allowed an attacker to submit an authorized request for any domain. During a month which was marked by the continuing paradigm shift to SSL-verified holiday shopping, the Chain of Trust continues to run off the gears, and Bruce Schneier is even commenting publicly that SSL's site validation mission isn't even relevant. What lies ahead for the billion-dollar CA industry?"

Nope. Government AND private companies

[Cyberax]

It's better to use private companies with government oversight.

I now live in Ukraine and we have such a system. Government licenses private companies to work as certification centers and mandates that only certain (strong) crypto algorithms must be used.

As a result, I can use my private key to sign my tax report for IRS (or tax report for my company). IRS in turn uses its own key to sign their letters.

That's pretty cool, if you think about it.