[Cryptography] Certificates and PKI

Ben Laurie ben at links.org
Tue Dec 23 06:22:43 EST 2014

On 23 December 2014 at 03:38, Nico Williams <nico at cryptonector.com> wrote:
> On Mon, Dec 22, 2014 at 01:33:53PM +0000, Ben Laurie wrote:
>> On 21 December 2014 at 19:19, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
>> >     * More progress needs to be made on the DNSSEC last-mile
>> >       problem,
>> Indeed, this does appear to be the biggest blocker for DANE.
>> But also: DANE puts registries and registrars in the roles of CA and
>> RA. If we think CAs are not a good solution, how is it the
>> registries/registrars magically are?
> CAs weren't necessarily a bad solution.  Unconstrained naming definitely
> was.
> DNSSEC (and therefore DANE) has that critical feature that PKIX only has
> as-specified but never will as-deployed: naming constraints.
> RAs might well be as awful as CAs.  But at least they'll be constrained.
> Then there's naming.  x.500 naming is just. such. a. disaster.
> People -perhaps every literate human with an Internet connection- are
> conversant with domainnames.

That is patently untrue - if they were, phishing would be a whole lot
harder than it is.

> Perhaps three people outside this list
> understand x.500 naming.
> Naming constraints is PKIX's last-mile problem.
> If you look at it this way, which horse has a better chance of winning?

I'm not sure which horses we are talking about? Or what they might win?

More information about the cryptography mailing list