Dutch Transport Card Broken
James A. Donald
jamesd at echeque.com
Wed Jan 30 18:40:58 EST 2008
Perry E. Metzger wrote:
> (No, I'm not a fan of X.509 certs, but those are not
> core to the protocol, and you can think of them as
> nothing more than a fancy key container format if you
> like. Key management is not addressed by SSL, so there
> is no reason that fixing key management has anything
> to do with SSL per se.)
The two actually working, widely used, secure systems
are SSH and Skype, neither of which uses SSL/TLS/PKI
The proof of the pudding is in the eating. When large
numbers of people use cryptography that really does make
them secure, they are not using SSL/TLS/PKI.
SSL involves digital certificates. The particular
digital certificate format necessarily imply a PKI
structure with the same sort of defects as the existing
PKI structure, which secures what does not matter much,
and fails to secure that which does matter. In this
sense, X.509 certificates are core to the protocol, and
that is the big problem with the protocol, though
neither am I happy about the fact that when the client
initiates a communication, the data it actually wants to
send only gets sent after the the *third* round trip.
> My opinion (and just about everyone else's) is well
> known.
There is a serious security problem in the network. It
needs fixing. SSL/TLS/PKI exists, yet is entirely
ineffectual in fixing it.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list