You make an excellent point. Such a certification system would still be 1000% better than the current system though. It's very plausible that one of the 100 authorities in my browser list screws up or maliciously generates rouge certificates to spy on regime dissidents. A scenario where the US would choose to secretly use the root cert to create rouge certs for MITM attacks is not very likely as it would be easily detected and would undermine the trust in DNSSEC and the whole infrastructure of the Internet so I doubt the US would risk that. It would probably result in some sort of diplomatic crisis.

What an epic fail for TLS. The certification system is broken by design and now apparently the block encryption as well. Let's take this opportunity to draft a new standard that:

A) Solves the having-to-trust-cert-authorities in china by using DNSSEC instead for certification. It should also optionally support manual cert distribution or remember-public-key for advanced users.

B) Just like SSH it should supports a range of handshake methods/encryption algorithms. It's insane to rely on a single algorithm. So when (note "when", not "if") an algorithm gets busted I can simply patch my browser.

So somebody, please write an RFC now, anyone? :)

I got PERMANENTLY banned from the steam forums for simply stating that piracy exists and people pirate games. Apparently, if you close your ears, hold your hands to you ears and yell LALALALALALA all problems instantly disappear.

I doubt you would want to move out in the middle of the desert with no open stores and no institutions if you are homeless. Since the city only consists of buildings you would have a lot of logistics problems. Do they even have running water? Even if they did the piping there would be no point in having it on except if they did some kind of related water tests.

Meh. I think the dutch government can get a certificate validated pretty quickly and installing a new certificate should take a couple of hours at most anyway.

Yes, and here I also have another outlook. It's also pretty typical American to expect emergency relief (see http://slashdot.org/comments.pl?sid=2405282&cid=37260276) and institutions in society to be funded by charity. I, however think this is the governments obligation, and also UNs in case the government cannot help its own people. I don't refer to emergency relief when I talk about charity. See my other post.

I don't consider emergency relief "charity" so I think there is some mix-up in terminology here. When it comes to emergency relief there are already systems in place, if not governments then at least the UN. If you want to talk about the real problems like world poverty, lack of education, widespread disease, non functioning markets and election systems things tend to get a lot more complex than "people starving because this disaster cuts of their supply of food so we need to give them food". You need to realize that most of the world is actually not in a state of emergency but have problems just as pressing in the long term as people starving in the short term.

What I'm criticizing here is that many charity projects just burns a pile of money for the sake of easing the consciousness of people that are better off, which helps nothing at best and is counterproductive at worst. For example building a bunch of schools so children can get education. Very heart-warming but futile when you don't have teachers and the kids needs to work anyway to provide for their family so the families are not interested in getting education for their kids. The well functioning market economy is the best tool invented so far to generate wealth - and charity is just a temporary flow of resources that could actually interfere with that mechanism. Especially when the goal of the investment is to have a huge impact in the short term just like many charity projects do, since the easiness to gather money is proportional to how seemingly pressing the issue is that being addressed by the charity is.

What's interesting though is charities that attempts to kick start business and entrepreneurship in poor regions. There has been some interesting projects in that area that touches on micro-loans, hands-on education and getting involved with the actual people you are trying to help. I don't want to call that "charity" though since that word has another meaning to m. ("blindly giving away money to things that makes me warm and fuzzy"). If charity was more focused around those kind of projects though I would be less critical of the form it takes today.

You're assuming politicians in general have a clue about anything remotely technical. And this is Pakistan. Because the Netscape developers called the state mechanism in HTTP "cookies", politicians thought they understood what "cookies" did and began to regulate them.

Also, as usual most people here in Slashdot will start to brainstorm technical solutions and rage over the fact that society hasn't reached their cryptographic utopia yet where people memorize 2048 bit RSA key pairs and all centralized information technology has been replaced with distributed p2p counterparts. When your government wants to spy on you, you have a social problem - not a technical one.

Your analogy is invalid. Not being able to view the source code of a program you are using is obviously not the same as being a "slave". Being able to improve existing source code and profit from it is also obviously not the same thing as "being able to own slaves". Your views honestly scare me if you truly believe using proprietary software is "slavery". It makes me understand what was going on in FOSS extremists heads though when they introduced GPLv3.

Personally I don't believe in charity. You can't just throw money on social problems and have them magically disappear. History has shown that time and time again. It's feels more like an American cultural phenomenon where people expects celebrities to make shallow statements on how "world peace is great" and donate some money "to the cause". I'm not a big fan of Steve Jobs but the fact that he hasn't thrown away his money on some temporary Africa projects and rather invested them in the economy (the real eradicator of poverty) doesn't affect my view on him negatively the slightest bit.

That's why we should have a standard based on DNS-SEC instead, just as I said.

100% correct. They can no longer be trusted and should be instantly removed. If they come back with a full post mortem study, including the steps they have implemented for it to never happen again, plus a full list of all fraudulent certificates they have issued they should be reconsidered again, but only after sufficient penalty time has passed, say one year. This is to prevent other CAs from doing the same mistake.

Oh and the CA system is utterly broken. This is the scenario all security researchers anticipated and failed to be surprised by. When can we get a standard based on DNS-SEC instead?

"fuck all of you that vote these fuckers into office"

This argument feels kind of empty in a country with two parties that both suck.

Congratulations ICANN to all that extra cash. Defensive registrations is an untapped gold mine. I'd recommend adding one sex domain per year.

Interesting. And it doesn't matter that it doesn't protect against DOS because all wireless communication is subject to DOS anyway.