browser vendors and CAs agreeing on high-assurance certificat es
leichter_jerrold at emc.com
leichter_jerrold at emc.com
Fri Dec 23 12:00:49 EST 2005
| | >But is what they are doing wrong?
| |
| | The users? No, not really, in that given the extensive conditioning
that
| | they've been subject to, they're doing the logical thing, which is not
paying
| | any attention to certificates. That's why I've been taking the
(apparently
| | somewhat radical) view that PKI in browsers is a lost cause - apart from
a
| | minute segment of hardcore geeks, neither users nor web site admins
either
| | understand it or care about it, and no amount of frantic turd polishing
will
| | save us any more because it's about ten years too late for that - this
| | approach has been about as effective as "Just say no" has for STD's and
drugs.
| | That's why I've been advocating alternative measures like mutual
challenge-
| | response authentication, it's definitely still got its problems but it's
| | nothing like the mess we're in at the moment. PKI in browsers has had
10
| | years to start working and has failed completely, how many more years
are we
| | going to keep diligently polishing away before we start looking at
alternative
| | approaches?
| I agreed with your analysis when I read it - and then went on to my next
mail
| message, also from you, which refers to your retrospective on the year and
had
| a pointer to an page at financialcryptography. So ... I try to download
the
| page - using my trusty Netscape 3.01, which with tons of things turned off
| (Java, Javascript, background images, autoloading of images) remains my
| work-a-day browser, giving decent performance on an old Sun box.
|
| Well, guess what:
|
| Netscape and this server cannot communicate securely
| because they have no common cryptographic algorithm(s).
|
| So ... we have the worst possible combination: A system that doesn't
work,
| which is forced on you even when you don't care about it (I can live with
| the possibility that someone will do a MITM attack on my attempt to read
your
| article).
|
| Sigh.
BTW, illustrating points made here, the cert is for
financialcryptography.com
but your link was to www.financialcryptography.com. So of course Firefox
generated a warning....
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list