[Cryptography] Certificates and PKI

Guido Witmond guido at witmond.nl
Sun Dec 21 12:25:58 EST 2014


On 19-12-14 12:38, Jerry Leichter wrote:

> How can we get the browser makers to stop buying in to the PKI
> fiction that does little except keep the CA business model alive?

By promoting DANE support in the browsers. Install every DANE-validator
plugin and enable the browser to spy on your plugin-list.

Or forget browsers and go the App-way:

Create DANE-validating libraries for Android/iOS/Windows-phone and get
them adopted for their stronger security-properties, ultimately leaving
browsers behind as untrustworthy technology.


Oh, and apply every other verification mechanism out there too. The more
available the more expensive it becomes to mess with the system.

We shouldn't fight about security mechanisms, we should apply them all.
Don't let the bad guys play 'divide and conquer'.

There is no panacea but every mechanism counts.

Does this answer your question?

Regards, Guido Witmond

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141221/fe2e90e7/attachment.sig>


More information about the cryptography mailing list