[Cryptography] Toxic Combination
Anne & Lynn Wheeler
lynn at garlic.com
Wed Dec 10 15:35:23 EST 2014
On 12/09/14 12:27, grarpamp wrote:
> First thing I remember thinking about the whole CA cert game
> way back years ago when people started thinking they needed
> certs, at $100++ per year, as opposed to verified and pinned self
> signed for the sites you care about, was... wtf, why?, scam!!!
> Turns out, it's actually shaping up to be the greatest internet
> swindle of all time. Hook, line, sinker.
In prior life at we periodically did visits to Project Athena
for reviews/audits of the projects ... including Kerberos ...
one visit sat through sessions defining x-domain operation.
Later doing the previous referenced transaction standard & chip
work ... also extended it so that the process worked in such a way that
it could be any authentication (not just payments) ... and
chip could be "person-centric" ... the same chip/key could be
used for all of a person's institutional authentication
... non-CA digital signature in lieu of passwords, POS payments,
internet payments, door badge entry, etc. One of the interesting
was when transit industry called and requested that it also be able
to work with transit turnstyle ... had to be able to do
transaction within the transit turnstyle contactless power
and elapsed time limitations. Chip had to still be more
secure than any of the heavyweight payment security chips and
cost less than typical transit industry chip.
Effort also included making freely available RADIUS and Kerberos code
that would use public key in lieu of password w/o requiring
digital certificate and/or involve CA. I did part of internet
draft for certificateless public key mode for Kerberos ...
but then the CA forces jumped in and made pk-init all about
CA-based infrastructure.
Later one of the people that helped drive CA-based pk-init ...
called and admitted the mistake and asked me to give
certificateless public key presentations to his organization.
long ago joke, at early 90s ACM SIGMOD (DBMS) meeting in San Jose,
there was panel discussion in large, full ballroom ... somebody
in the audience asked what was all this X.5xx stuff about. Somebody
on the panel said it was a bunch of network engineers attempting
to re-invent 1960s DBMS technology.
--
virtualization experience starting Jan1968, online at home since Mar1970
More information about the cryptography
mailing list