India's National Informatics Centre Forged Google SSL Certificates

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

Repercussions?

Will there be any repercussions for this?

The National Informatics Centre of India did abuse something.
Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future?
Or will they lose this ability?

What will happen now?

They have shown that they can not be trusted. They must lose the power to do this.

Pull someones certificates or kill some CA. Someone needs to suffer because of this.

Re:Repercussions?

They must lose the power to do this.

No one can be trusted. The system/infrastructure must be designed to take into account untrustworthiness of all parties involved. WoT.

Re:Repercussions?

[Z00L00K]

This yet again highlights that the three-party trust system is broken.

There are ways around it, but there is no great solution - only workarounds.

Re:Repercussions?

[INT_QRK]

“Power attracts the corruptible. Suspect any who seek it.” Frank Herbert, Chapterhouse: Dune

Re:Repercussions?

[INT_QRK]

The bargain lies in the relatively low cost of relatively skilled labor. Other considerations, where there might be awareness, are secondary, or less.

Re:Repercussions?

[Cajun+Hell]

If you think that might work, then keep learning. The botnets' "vote" only gets counted if someone decides to trust all of them. And if you can arrange that, then you don't need a botnet, you just need one node.

All that matters is how your fake node (or web of fake nodes) is connected to the victim.

Re:Repercussions?

[IamTheRealMike]

They have shown that they can not be trusted. They must lose the power to do this.

Pull someones certificates or kill some CA. Someone needs to suffer because of this.

What happens now is that there's an investigation. Depending on the outcome the CA may be revoked for good, or merely forced to reissue lots of certificates. The deciding factor is the reason for the screwup - for instance they may have got hacked, rather than been actively corrupt. In that case Microsoft will have to decide if they have patched things up enough to continue as part of their root store program or whether to pull the plug. I doubt many people have certs issued by this CA so the damage would be relatively minimal.

Unfortunately you can't just kill any CA that screws up. For one, if the CA was widely used it'd be disrupted. For another, nothing is unhackable, especially when you get the NSA involved. Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

Hard decisions ahead for browser and OS makers for sure ...

Re:Repercussions?

[sjames]

Never do business with anyone who outsources customer service at all. The 'representative' only has the power to read from the flip chart. They absolutely do not have the authority to fix the problem and they do not know who does or how to contact them.

Re:Repercussions?

[BitZtream]

Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

Yet that is exactly what they are supposed to do. Its not even really that hard.

Every CA hack to date has been preventable as was the fault of the CA simply not putting the required effort into doing their job or being flat out malicious. Stop trying to make it out like its an uber hard job, its not.

Re:Repercussions?

[Cajun+Hell]

Oops, didn't realize we were talking about something like that.

That plugin is a kind of neat idea (I approve) but it's very poorly named and doesn't seem to have anything in common with a real "web of trust." I'd probably be madder about the atrocious name if I didn't happen to like the plugin.

That gives me an idea: I should make a program for X11 users, where the five hundredth and ninth time someone opens a new window, it generates a PDF containing an extravagant statement of the accomplishment. Then I could call the program "X.509 Certificate Authority" just to fuck with everyone.

I also have an idea for an internet communications protocol which provides the social verification (the "proof" I think he called it) of Metcalf's Internet Teranodes Metric, but I'm trying to think of a concise way to explain that to people.

What's interesting about my MITM-proof thing is that it was computer-generated. I just had to provide the right seed (the "key" according to the software's docs) to the Pseudorandom Generated Proof engine. If you don't want me to explain how the MITM-proof works, I can just give you the PGP key and you can study the output yourself, in your own Virtual Information Monitor window, or Enhanced Markup Automatic Correlation Searcher if you prefer that approach.

Re:Repercussions?

[shaitand]

What makes you think it's any different with internal customer service at any sizable company?

Re:Repercussions?

[shaitand]

Seriously? How hard is it to put the actual root certificate on an offline internal network? You have to actually have a human being move a thumb drive between two machines to generate a cert. OMG, the horror! It's india for god sake, don't tell me they can't afford all that manual labor.

Re:Repercussions?

[sjames]

They do know who the boss is and who his boss is. They know who signs their paychecks. They may not tell, but they know.

With internal CS, there is at least a chance that it is supposed to be more than an impenetrable barrier between the customer and someone with authority.

Re:Repercussions?

[david_thornley]

Outsourced customer service is generally paid by the call. This means that the ideal call is a short one where the customer is satisfied enough not to raise a ruckus, but will run into problems and have to call back. Even if there is any way to pass feedback to the software vendor, it isn't in the customer service's interest to provide it, as clarifying a confusing thing in the software could lead to serious loss of revenue. That also means that the software vendor doesn't have the information to either fix things or even figure out what team is making confusing things.

This is also effectively true when a badly run software company runs its own customer service. A well-run company, however, can get useful information out of customer service, and has the ability to actually solve problems. It has incentive to fix difficult problems and data to find them. It's more expensive up front, but if you can reduce the number of calls, by reducing the number of customers with problems, you can save money in the long run.

If a company actually cares, it can also use excellent customer service to keep customers. I still have warm feelings for Apple based on a customer service call several years ago, in which I was quickly talking to somebody who understood what I was talking about, proposed a solution that worked, and provided useful supplementary information. You don't get that from outsourced service from Bangladesh.

Who do they think they are?

[Required+Snark]

The NSA?

Re:Who do they think they are?

[cold+fjord]

Who in the world do you think gathers intelligence?
Only the NSA?
Need a bridge? I have one for sale.

Re:Who do they think they are?

[oodaloop]

Nice strawman. So does the NIC have a legal mission to gather intelligence? Does forging certificates constitute legitimate intelligence collection?

Re:Who do they think they are?

[INT_QRK]

All countries conduct espionage to the extent that they prioritize their capabilities, and against targets where they perceive threats and/or opportunities.

Re:Who do they think they are?

[cold+fjord]

Strawman? Not so much.

So does the NIC have a legal mission to gather intelligence? Does forging certificates constitute legitimate intelligence collection?

Who can say? Do you have any thoughts on the matter?

Re:Who do they think they are?

[ultranova]

All countries conduct espionage to the extent that they prioritize their capabilities, and against targets where they perceive threats and/or opportunities.

All countries keep an eye on their neighbours, just like all people keep a general awareness of their surroundings. All countries don't tap the phones of their neighbours's leaders, or install malware on equipment sold to them, or even spies over. Morals aside, taking hostile action tends to backfire, as the US is learning. Reputation is a resource, and it's stupid to waste it.

The problem with Machtpolitik is that even if you win a few rounds, you can't stop playing without giving away all your ill-gotten gains, and sooner or later you lose. And when you do, you don't get back what you've lost, even if you quit. And sometimes the house wins and everyone loses big time. And the Devil's the dealer.

The US is a good case study: the country is hopelessly in debt and the infrastructure is crumbling, yet it's going to be spending $ 1 trillion for a new fighter. It's madness, but that's the price US pays for the way it fought the Cold War. Ruthlessness doesn't go away and leave you alone just because whatever enemy you conjured it up to win has. That's why it's foolish to ignore morality, even in international politics - especially in international politics, since there's no nice constable to run to if you manage to get in over your head.

Re:Who do they think they are?

[viperidaenz]

Name one intelligence agency that doesn't use other government agencies to assist its endeavours.

Re:Who do they think they are?

[INT_QRK]

I was making an observation, not an apology. Notice that I never added, "...and this is always good thing." That said, neither is it always a bad thing.

Typical

Good old Indian "ethics".

Re:Typical

[Himmy32]

The whole world is filled with people with dubious ethics. Some regions just have slightly more effective means of controlling them.

All about trust

[Himmy32]

The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again. They should know better.

Re:All about trust

[currently_awake]

So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

Re:All about trust

[gstoddart]

So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

India already forced BlackBerry to allow them to access BBM and the like.

Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.

Which means Indians are already being spied on by (at least) their own government AND the USA.

Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.

Re:All about trust

[Himmy32]

Let's be honest the outrage in India over this is going to be small. The current furor is over people getting raped and hanged while defecating in the open. The US doesn't really have a leg to stand on with the Snowden revelations and espionage in Germany. Nor do too many people want them to be the Internet World Police. It's a complex world with every country playing the spying game. No one is really shocked when someone else gets caught.

The only thing that will come out of this is lack of trust for some Indian certs, and hopefully some awareness that these attacks are happening.

Re:All about trust

No one is going accept a cert from them again.

Yeah. Just like no one trusts Comodo CA. Oh wait.

Re:All about trust

[Himmy32]

Deliberately giving out bad certs and being hacked are a little different. But as your comment shows their reputation has suffered because of the breach even 3 years later.

Re:All about trust

[OhPlz]

As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.

So no, it's not ok. Not for the US, not for India.

Re:All about trust

Remember DigiNotar ?
They went bankrupt because nobody trusted them anymore.

Re:All about trust

[cyberchondriac]

Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it. Every other country does it's sharing of spying too, let's not be naive. Wrong is wrong, no matter who does it. This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.
It's only fair that you either get to protest when every and any country pulls something like this, or not at all.

Re:All about trust

[gstoddart]

Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it.

I don't disagree with you, but the hypocrisy of "but that's the job of the NSA" that I hear when someone points this out is maddening.

This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.

And one which was doing business in their country. Like it or not, Google in India is subject to India's laws.

How many corporations and people in foreign countries have been targeted by the NSA? How many people think that is wrong?

There are an alarming number of people who basically say it's OK when the NSA does it, because that's their mandate.

It's only fair that you either get to protest when every and any country pulls something like this, or not at all.

Oh, I agree, and I disagree with the practice in general. But, as I said, it's appalling just how many Americans keep saying "it's fine when we do it, it's wrong when you do it".

I'm just reminding people of the apparent double standard which gets applied here and in the news.

Me, I think for a country to decide that their laws/desires trumps the rights of people in other countries, you lose some credibility when someone does the exact same thing to you.

Re:All about trust

[INT_QRK]

...and that's good. Loss of trust and confidence is the price one pays for getting caught breaching same.

Re:All about trust

[cyberchondriac]

Honestly, I don't think I've heard but a handful of americans saying that it's fine when we do it.. Pretty much everyone is up in arms over the NSA. What I hear people say - if unapologetically- is that the NSA isn't the only one doing it. And you'll probably never hear much about what the KGB does (I know that's more an equivalent to the CIA than the NSA but I'm not sure if Russia sets up their organizations like the US does).

Still, Google may have a presence in India but it's not an Indian company, per se.

At this rate, it seems like someday in the future we may have to deal with possibility that being on the Internet is like being a celebrity: no expectation of privacy.

Re:All about trust

[cellocgw]

The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again.

Sounds like what we need is a cert-issuing protocol based on Bitcoin security. Everyone (plus or minus epsilon) trusts that Bitcoins can't be forged.

Re:All about trust

[sjames]

Agreed. They might or might not put the bodies in prison with the heads, I'm good with it either way. :-)

So SSL is nothing more than an honor system?

[bazmail]

So SSL is nothing more than an honor system? Fuck that. Security , such as it was, is utterly fucked now that any tin-pot government quango can start intercepting.

Re:So SSL is nothing more than an honor system?

[bunratty]

Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.

Re:So SSL is nothing more than an honor system?

[Desler]

You're just figuring this out? Have you been living under a rock for the past ~20 years or are you just incredibly naive?

Re:So SSL is nothing more than an honor system?

[gstoddart]

So SSL is nothing more than an honor system?

This is nothing new.

And, let's face it, I bet the NSA et al have demanded more private keys be handed over to them than you'll ever know about. Where's your outrage over that?

The five eyes all use each other to spy on their own (and others) citizens, and share the information among themselves. Where's your outrage over that?

I see this as a symptom of a greater problem, but no different from what a bunch of other countries are already doing.

Until someone creates a new encryption system which isn't susceptible to MITM attacks, this will always be the case. And governments will always unashamedly insist on spying on their people, and anybody else they can find.

Re:So SSL is nothing more than an honor system?

[gweihir]

Anybody that looked into the SSL certificate system has known that for a very long time. Quite a few people used to use self-signed certificates, as as least there somebody that bothered to find out could be sure it was secure.

I think the fundamental brokeness of the SSL certificate system is because of deep naivety with regard to the trustworthiness of governments and because of active sabotage of by said governments way back. I hope at least that issue is fixed after Snowden. Governments are even more evil than any of their members and cannot be trusted for any purpose.

Re:So SSL is nothing more than an honor system?

[bill_mcgonigle]

There are two TLS extensions that fix these problems - one is including your certificate fingerprint in DNS and the other is multiple signatures. Both have good standards and the industry is painfully slow to adopt them.

Re:So SSL is nothing more than an honor system?

[Rich0]

SSL goes beyond the naivety of government trust. It also suffers from what amounts to a global namespace/trust/etc issue.

Any CA can issue a certificate for any domain, a domain generally can only have one certificate, and the trusted CA list is managed by the browser, not the user.

So, if you trust your government (naievely), and distrust everybody else, it won't work. Your browser will constantly be wanting to add CAs you don't trust, and might not include ones you trust. Then, if you drop a bunch of CAs then a bunch of websites won't work. A website doesn't have the option of getting certificates from 14 different CAs so as to be trusted by everybody - they have to pick one and everybody has to trust them.

So, users are basically forced to accept CAs they've never heard of, and the whole system is a mess as a result.

Re:So SSL is nothing more than an honor system?

[jandrese]

x509 is as strong as the weakest signing authority, and there are many many signing authorities now.

It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs. IMHO SSH did a better job of this by simply having you inspect the certs the first time you log on to a site and storing the result, only freaking out if the cert changes. It eliminates the complex chain of trust that in the end comes down to just trusting people you don't know anyway and hoping that none of the thousands of people involved are corruptible or incompetent.

Re:So SSL is nothing more than an honor system?

[sexconker]

Until someone creates a new encryption system which isn't susceptible to MITM attacks

Uh, some of the earliest encryption algorithms ever created are immune to MITM.
The core of the MITM issue is that anything sent over it could be intercepted or spoofed.
So ALL your communication must be encrypted.

All you need a pre-shared key to initiate the connection. Whether that's a password or a certificate or something else makes no difference. What matters is the pre-sharing. You have to fucking know and trust the source of that key. If you're just using a list of certs issued by people you don't know and trusted on your behalf by other people you don't know, then your shit isn't secure.

In an ideal world I'd walk into a bank branch, verify that it is my fucking bank, ask them for a certificate for web access, they'd generate a unique one for me, and I'd copy it to my devices and trust it. I would also give them my own unique certificate, though a username and password is essentially a weaker version of that.

Re:So SSL is nothing more than an honor system?

[nyet]

It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs

Exactly. Especially since you can get a "real" cert from one of many, many, free cert signing services. What is the point?

Re:So SSL is nothing more than an honor system?

[gstoddart]

Uh, some of the earliest encryption algorithms ever created are immune to MITM.

Yes, and they were built for communications between two parties, who knew they'd be communicating, and could exchange keys in advance.

Now, tell me one which is applicable to the problem of a large number of potential users, all unknown up front, and coming from random devices.

The problem with modern public key encryption (and its strength as well) is that you don't need to pre-exchange keys. But this opens you up to MITM attacks.

Key exchange is hard. Managing all of those keys is really hard. You think a bank can maintain a list (and keep it secure) of the private keys of every individual customer?

The thing which holds the keys (and every vendor you deal with would have a separate copy) then becomes the next attack vector.

I think the generalized problem of establishing, trust, and a secure exchange of keys, is far harder and more complex in a world where you deal with lots of entities, who deal with lots of entities. This isn't things your average person are going to be willing to spend hours doing.

Re:So SSL is nothing more than an honor system?

[jandrese]

Originally it was supposed to be a cash cow for Verisign, but they screwed up and didn't assign a "trustworthiness level" to each CA so there's no reason to spend the big bucks on a Verisign cert over Joe Blow's Free Cert Shop now. Browsers treat both the same.

Re:So SSL is nothing more than an honor system?

[chihowa]

That's a cop-out, though. Yes, there is always an element of trust in whatever you do. That's unavoidable, though it's smart to minimize the amount of trust you must put in others. Taken to the extreme it's ludicrous, as you've pointed out. But, that doesn't mean that there's no merit in limiting the amount of trust you put in third parties. Just because you can't completely trust your OS or compiler, doesn't mean that you should throw the entire concept of limiting trust out the window. It's dishonest to suggest that the risk is the same between trusting (your compiler), (your compiler + your OS), and (your compiler + your OS + the CA system).

The CA system is truly an honor system by design. It requires you to put your complete trust in a large, and growing, list of opaque and unfamiliar third parties and the decision to trust them is made by others though an opaque and unaccountable process. It's putatively a "security system", but is insecure by design. It depends entirely on unaccountable, secretive, and self-selected "authorities" to determine who should trust who.

Look at your OS's list of trusted CAs sometime. Any of these organizations, or anyone delegated by any single one of them, are implicitly trusted by your system. Completely trusting Microsoft, Apple, or various Linux devs is naive, but completely trusting everyone in the root CA list is absolutely insane!

Re:So SSL is nothing more than an honor system?

[gweihir]

Indeed. That is why I wrote "governments" as in the sum of all of them. One corrupt one is enough to break things.

Re:Anybody else think posting AC should be abolish

[Desler]

Funny, I looked up "Assmasher" in the White Pages and various international name lookup services and didn't get a single hit. It's almost as if you're hiding your identity no differently than the very ACs that you proclaim to want to be abolished. Man up and give us all your personal details or STFU.

Re:Anybody else think posting AC should be abolish

[bill_mcgonigle]

I was gonna say set your preferences to -5 AC posts, but I can't find the setting at the moment - did they get rid of it for beta? Somebody probably can post the link to the scoring prefs.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Pseudonyms exist to protect people from the rabid - like yourself.

Think about the stupidity of comparing the establishment of a pseudonym to posting your SSN? LOL.

Re:Anybody else think posting AC should be abolish

[gweihir]

The difference between India and some other countries is that India is 2nd-rated enough to be caught immediately when they do something like this. That makes them more stupid, but less of a threat than, say, the US.

Re:Anybody else think posting AC should be abolish

[Desler]

How does having a registered account mean anything? You can register one with a throwaway email account. Plus many registered people do use AC from time to time.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Because it's a pain to do so. It helps cut down on the DB anonymous posting. You can quickly discern if they're schills, flametards, et cetera.

I agree, I post on occasion as AC when I'm on another device, and like I said, I never had any problem with people posting AC until the past few years when people seem to be using it to simply spam /. with total garbage, or hatred, et cetera.

Re:Anybody else think posting AC should be abolish

[JesseMcDonald]

Somebody probably can post the link to the scoring prefs.

https://slashdot.org/users.pl?op=editcomm

Or you can click on one of the "edit" links in the score details window.

Re:Anybody else think posting AC should be abolish

[Desler]

Because it's a pain to do so

Yeah clicking a button and typing a couple dozen characters is sooo hard. Registration takes less than 5 minutes in total.

Internet Explorer IS vulnerable though

[dwheeler]

This is a big deal. If you use a browser on Windows that does NOT counter this, such as Internet Explorer, then you ARE vulnerable. I imagine Microsoft will come out with a special-purpose patch, but still, this is a pretty nasty issue.

Untrustworthy CAs have been a problem for a long time; we need mechanisms to address them. The terrible cert revocation system makes it even worse; you can't be sure that the certs are checked in many cases. Chrome's CRLSets are not the answer; they are not even the beginning of an answer. We need to fix the whole revocation system. Sadly, there hasn't been enough work or enough urgency on these problems; maybe this will light a fire under those efforts. I doubt it, but it's worth hoping.

Old-media contact info

[tepples]

Some people have a "Homepage" link at the top of each of their posts that points to old-media contact info.

Re:Anybody else think posting AC should be abolish

[Assmasher]

Doesn't it require a valid e-mail address and confirmation first? It certainly used to.

Re:Anybody else think posting AC should be abolish

[Assmasher]

5 minutes is a lot of time for the people who go around spouting hatred and ugliness all over internet forums. This is why the don't register, because it's not worth the effort - especially when they get banned - especially if that ban is by IP.

Corruption is cultural

[tepples]

It's not the race as much as the culture. A culture that doesn't value honest dealings with outsiders will produce crooks. I lack the experience to name any names, so is there anything specific in the culture of India or the Jewish diaspora that might produce such dishonesty?

Re:Anybody else think posting AC should be abolish

[Desler]

No it's not.

Isn't it time we apply name constraints?

[Antibozo]

I think intermediate CA certificates issued to certificate vendors, ISPs, governments, should all have name constraints so that they can be used to sign only certificates for an appropriate part of the namespace.

http://tools.ietf.org/html/rfc...

Re:Scoped certificates

[DERoss]

That is an existing capability within the SSL process. NIC will be restricted to issuing certificates only for a set of domains that are specific to India. Just be careful if you want to have financial transactions over the Web with institutions based in India.

Not a Problem with Mozilla-Based Applications

[DERoss]

This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.

The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.

To see the discussion, see https://bugzilla.mozilla.org/s....

Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!

Re:Scoped certificates

[jonwil]

There are any number of proposals out there to replace or augment CA certificates for SSL purposes (the EFF has Sovereign Keys, there is the DANE proposal to store certificates in DNS with DNSSEC security and there are other proposals out there designed to make it much harder for these kinds of "bogus certificate" type attacks)

Why aren't any of these proposals actually gaining any traction?

Re:Scoped certificates

[Antibozo]

It sounds like we need the ability to limit the scope of certificate authorities to signing for only certain domains.

http://tools.ietf.org/html/rfc...