[Cryptography] Certificates and PKI
Ben Laurie
ben at links.org
Tue Dec 23 06:22:43 EST 2014
On 23 December 2014 at 03:38, Nico Williams <nico at cryptonector.com> wrote:
> On Mon, Dec 22, 2014 at 01:33:53PM +0000, Ben Laurie wrote:
>> On 21 December 2014 at 19:19, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
>> > * More progress needs to be made on the DNSSEC last-mile
>> > problem,
>>
>> Indeed, this does appear to be the biggest blocker for DANE.
>>
>> But also: DANE puts registries and registrars in the roles of CA and
>> RA. If we think CAs are not a good solution, how is it the
>> registries/registrars magically are?
>
> CAs weren't necessarily a bad solution. Unconstrained naming definitely
> was.
>
> DNSSEC (and therefore DANE) has that critical feature that PKIX only has
> as-specified but never will as-deployed: naming constraints.
>
> RAs might well be as awful as CAs. But at least they'll be constrained.
>
> Then there's naming. x.500 naming is just. such. a. disaster.
>
> People -perhaps every literate human with an Internet connection- are
> conversant with domainnames.
That is patently untrue - if they were, phishing would be a whole lot
harder than it is.
> Perhaps three people outside this list
> understand x.500 naming.
>
> Naming constraints is PKIX's last-mile problem.
>
> If you look at it this way, which horse has a better chance of winning?
I'm not sure which horses we are talking about? Or what they might win?
More information about the cryptography
mailing list