Trust isn't the key problem with CAs.
The key issue is that CAs like Thawte or Verisign do not scale. They manually verify each certificate request, a very expensive and labor-intensive process. A customer ordering an SSL certificate for https://www.acme.com/ must provide CA with legal documents showing that (a) ACME corp actually exists, (b) he really works for ACME, (c) he is authorized to request the certificate, and so on..
All submitted documents are manually verified by the CA (at least in theory). Sometimes, they look up the company in a phone directory and call the public phone number to check that the requester really works for the company, etc.
That's why CA-issued certificates are so expensive; for example, 1-year Thawte SSL cert costs US $249. The certificate alone costs more than what a shared hosting with php5 and mysql would cost, per year!
Expensive, manual verification process is the key problem with modern CAs and "notaries" provide excellent solution to it.
the government certainly took no action to find or punish whoever was behind the cyber attacks - it's difficult, almost impossible to find them.
Look at Storm superworm, for example: is known since many months; countless articles are written; researchers investigate it, plot its topology, they know how it is controlled, even Bruce Schneier blogged about it;). They still have no clue who actually controls Storm.
The same applies to most botnets.
Most botnet owners are caught because they try to earn cash with the botnet in some way, like sending Vi***gra spam or blackmailing some bank (pay us $1M or we DDoS you). Earlier or later, police catches them by "following the money".
This doesn't work with nationalist DDoSers: they neither extort any money nor contact anyone.
We need some serious analysis before accusing anyone in anything. Remember a recent slashdot story about that 20-years old Estonian student who launched serious DDoS attacks against several political websites in Estonia?
Initially those attacks were attributed to the Russian government, too.
On the internet, it only takes one ultranationalist hacker with access to some superworm like Storm to start a full-scale cyberwar.
Hence, I'd wait with any accusations to Russian or Georgian governments.
Slashdot Mirror
Trust isn't the key problem with CAs.
The key issue is that CAs like Thawte or Verisign do not scale. They manually verify each certificate request, a very expensive and labor-intensive process. A customer ordering an SSL certificate for https://www.acme.com/ must provide CA with legal documents showing that (a) ACME corp actually exists, (b) he really works for ACME, (c) he is authorized to request the certificate, and so on..
All submitted documents are manually verified by the CA (at least in theory). Sometimes, they look up the company in a phone directory and call the public phone number to check that the requester really works for the company, etc.
That's why CA-issued certificates are so expensive; for example, 1-year Thawte SSL cert costs US $249. The certificate alone costs more than what a shared hosting with php5 and mysql would cost, per year!
Expensive, manual verification process is the key problem with modern CAs and "notaries" provide excellent solution to it.
the government certainly took no action to find or punish whoever was behind the cyber attacks ;). They still have no clue who actually controls Storm.
The same applies to most botnets.
- it's difficult, almost impossible to find them.
Look at Storm superworm, for example: is known since many months; countless articles are written; researchers investigate it, plot its topology, they know how it is controlled, even Bruce Schneier blogged about it
Most botnet owners are caught because they try to earn cash with the botnet in some way, like sending Vi***gra spam or blackmailing some bank (pay us $1M or we DDoS you). Earlier or later, police catches them by "following the money".
This doesn't work with nationalist DDoSers: they neither extort any money nor contact anyone.
We need some serious analysis before accusing anyone in anything. Remember a recent slashdot story about that 20-years old Estonian student who launched serious DDoS attacks against several political websites in Estonia? Initially those attacks were attributed to the Russian government, too.
On the internet, it only takes one ultranationalist hacker with access to some superworm like Storm to start a full-scale cyberwar. Hence, I'd wait with any accusations to Russian or Georgian governments.