browser vendors and CAs agreeing on high-assurance certificates

[Peter Gutmann]

"James A. Donald" <jamesd at echeque.com> writes:

>But is what they are doing wrong?

The users?  No, not really, in that given the extensive conditioning that
they've been subject to, they're doing the logical thing, which is not paying
any attention to certificates.  That's why I've been taking the (apparently
somewhat radical) view that PKI in browsers is a lost cause - apart from a
minute segment of hardcore geeks, neither users nor web site admins either
understand it or care about it, and no amount of frantic turd polishing will
save us any more because it's about ten years too late for that - this
approach has been about as effective as "Just say no" has for STD's and drugs.
That's why I've been advocating alternative measures like mutual challenge-
response authentication, it's definitely still got its problems but it's
nothing like the mess we're in at the moment.  PKI in browsers has had 10
years to start working and has failed completely, how many more years are we
going to keep diligently polishing away before we start looking at alternative
approaches?

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com