[Cryptography] Certificates and PKI

Nico Williams nico at cryptonector.com
Tue Dec 23 11:16:11 EST 2014

On Tue, Dec 23, 2014 at 11:22:43AM +0000, Ben Laurie wrote:
> On 23 December 2014 at 03:38, Nico Williams <nico at cryptonector.com> wrote:
> > Then there's naming.  x.500 naming is just. such. a. disaster.
> >
> > People -perhaps every literate human with an Internet connection- are
> > conversant with domainnames.
> That is patently untrue - if they were, phishing would be a whole lot
> harder than it is.

That's a different problem that PKIX naming is also susceptible to
(probably any naming scheme where "labels" of any sort are used would

> > If you look at it this way, which horse has a better chance of winning?
> I'm not sure which horses we are talking about? Or what they might win?

DNSSEC/DANE has a simpler last mile problem than the problems that
plague PKIX as-deployed in the WebPKI.  The future is DNSSEC's.


More information about the cryptography mailing list