[Cryptography] Certificates and PKI
Nico Williams
nico at cryptonector.com
Tue Dec 23 11:16:11 EST 2014
On Tue, Dec 23, 2014 at 11:22:43AM +0000, Ben Laurie wrote:
> On 23 December 2014 at 03:38, Nico Williams <nico at cryptonector.com> wrote:
> > Then there's naming. x.500 naming is just. such. a. disaster.
> >
> > People -perhaps every literate human with an Internet connection- are
> > conversant with domainnames.
>
> That is patently untrue - if they were, phishing would be a whole lot
> harder than it is.
That's a different problem that PKIX naming is also susceptible to
(probably any naming scheme where "labels" of any sort are used would
be).
> > If you look at it this way, which horse has a better chance of winning?
>
> I'm not sure which horses we are talking about? Or what they might win?
DNSSEC/DANE has a simpler last mile problem than the problems that
plague PKIX as-deployed in the WebPKI. The future is DNSSEC's.
Nico
--
More information about the cryptography
mailing list