[Cryptography] Moving forward on improving HTTP's security
James A. Donald
jamesd at echeque.com
Fri Nov 15 00:01:46 EST 2013
On 2013-11-14 15:46, Greg wrote:
> On Nov 13, 2013, at 7:05 PM, John Kelsey <crypto.jmk at gmail.com
> <mailto:crypto.jmk at gmail.com>> wrote:
>> So your solution is what? Continue sending data in the clear?
>
> The basics would be to not use the CAs. Working on rest of details,
> they're mostly finished, just gotta make 'em nice 'n pretty. And some
> code would be good, too.
The not quite good enough is the enemy of the adequate.
The problem with CAs is that Bob usually knows more about Carol that the
CA knows about Bob or Carol. Thus "trust" between Bob and Carol
supplied by the CA tends to be inconvenient, expensive and unsafe.
Introducing a distant third party between Bob and Carol is a security
hole, not a security solution.
The solution is yurls, Zooko's triangle, and, here comes the hard part,
squaring Zooko's triangle.
More information about the cryptography
mailing list