[Cryptography] Is it time for a revolution to replace TLS?

[Phillip Hallam-Baker]

On Tue, May 13, 2014 at 8:08 PM, grarpamp <grarpamp at gmail.com> wrote:
>> 1) There is a connection between these three threads.  It seems
>> to me that 6845 forged certificates is 6845 too many.  It is proof
>> that TLS has failed in its primary mission.
>
> Err, that x509 has failed as implemented in the 'global' CA model.
> There never was the 'one true CA' [1], housed at ARIN or the UN
> or some such, from which all downstream CA's [revokeably] spawn.
> It's really just who pays and doc's up enough to be put in NSS as a
> commercial competitor. And that only covers rogue / counter CPS
> CA's, not all the click-to-accept mitm stuff outside of that.

So PKI is a failure for not succeeding in implementing a stupid,
dangerous model?

The lack of a single root isn't a failure. It was a very deliberate
design decision one that I see no reason to revisit.

A single root PKI means that whoever controls the root controls
everything. EVERYTHING. To quote Davros 'that power would set me
amongst the Gods'.

The attempt to set up a single root in DNSSEC is the reason I consider
the project dangerous and foolhardy. I have been speaking out against
it now for ten years. That is not because I want to kill DNSSEC, it is
because it is a fixable error and one that I want to see fixed.

Its not just me who has this problem. Two gentlemen, one of who I know
to be ex-KGB (now GRU) I presume tried to explain the problem to Steve
Crocker some years ago to no effect. Crocker isn't at all worried
about the possibility he might do something others disagreed with
after they have no opportunity to change service providers.


Its the world wide WEB, not the world wide top down hierarchy with the
US government at the top of the pyramid.

-- 
Website: http://hallambaker.com/