Mozilla tool to self-verify HTTPS site
Marc Branchaud
marcnarc at rsasecurity.com
Mon Jun 30 18:51:55 EDT 2003
Ian Grigg wrote:
>
> Tying the certificate into the core crypto protocol seems to be a
> poor design choice; outsourcing any certification to a higher layer
> seems to work much better out in the field.
I'll reserve judgement about the significance of SSLBar, but I couldn't
agree more with the above point. The only way to use non-X.509 certs
with TLS 1.0 is by rather clunkily extending the ciphersuites to also
identify some kind of certificate type.
IMO, this fact has significantly contributed to the lack of adoption of
PGP, SPKI, and alternative PKIs on the Internet.
TLS's new extension mechanism can help address this (see
draft-ietf-tls-openpgp-keys), but it'll be a while before extension
support is common.
M.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list