browser vendors and CAs agreeing on high-assurance certificat es

leichter_jerrold at emc.com leichter_jerrold at emc.com
Fri Dec 23 12:00:49 EST 2005 

| | >But is what they are doing wrong?
| | 
| | The users?  No, not really, in that given the extensive conditioning
that
| | they've been subject to, they're doing the logical thing, which is not
paying
| | any attention to certificates.  That's why I've been taking the
(apparently
| | somewhat radical) view that PKI in browsers is a lost cause - apart from
a
| | minute segment of hardcore geeks, neither users nor web site admins
either
| | understand it or care about it, and no amount of frantic turd polishing
will
| | save us any more because it's about ten years too late for that - this
| | approach has been about as effective as "Just say no" has for STD's and
drugs.
| | That's why I've been advocating alternative measures like mutual
challenge-
| | response authentication, it's definitely still got its problems but it's
| | nothing like the mess we're in at the moment.  PKI in browsers has had
10
| | years to start working and has failed completely, how many more years
are we
| | going to keep diligently polishing away before we start looking at
alternative
| | approaches?
| I agreed with your analysis when I read it - and then went on to my next
mail 
| message, also from you, which refers to your retrospective on the year and
had 
| a pointer to an page at financialcryptography.  So ... I try to download
the 
| page - using my trusty Netscape 3.01, which with tons of things turned off

| (Java, Javascript, background images, autoloading of images) remains my 
| work-a-day browser, giving decent performance on an old Sun box.
| 
| Well, guess what:
| 
| 	Netscape and this server cannot communicate securely
| 	because they have no common cryptographic algorithm(s).
| 
| So ... we have the worst possible combination:  A system that doesn't
work,
| which is forced on you even when you don't care about it (I can live with
| the possibility that someone will do a MITM attack on my attempt to read
your 
| article).
| 
| Sigh.
BTW, illustrating points made here, the cert is for
financialcryptography.com
but your link was to www.financialcryptography.com.  So of course Firefox
generated a warning....
							-- Jerry


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list