[Cryptography] Certificates and PKI
ben at links.org
Tue Dec 23 12:49:40 EST 2014
On 23 December 2014 at 16:16, Nico Williams <nico at cryptonector.com> wrote:
> On Tue, Dec 23, 2014 at 11:22:43AM +0000, Ben Laurie wrote:
>> On 23 December 2014 at 03:38, Nico Williams <nico at cryptonector.com> wrote:
>> > Then there's naming. x.500 naming is just. such. a. disaster.
>> > People -perhaps every literate human with an Internet connection- are
>> > conversant with domainnames.
>> That is patently untrue - if they were, phishing would be a whole lot
>> harder than it is.
> That's a different problem that PKIX naming is also susceptible to
> (probably any naming scheme where "labels" of any sort are used would
Sure, but that does not alter the point that most people do not
understand DNS, PKIX naming, or any other naming scheme we use.
>> > If you look at it this way, which horse has a better chance of winning?
>> I'm not sure which horses we are talking about? Or what they might win?
> DNSSEC/DANE has a simpler last mile problem than the problems that
> plague PKIX as-deployed in the WebPKI. The future is DNSSEC's.
Is this like the future being IPv6's? :-)
The last mile problem is sufficiently problematic currently that we
cannot realistically rely on DNSSEC (i.e. we would effectively
disenfranchise a significant fraction of users). Obviously this is not
ideal, but its where we are.
More information about the cryptography