[Cryptography] distrusted root CA: WoSign
Peter Bowen
pzbowen at gmail.com
Sat Oct 1 14:43:37 EDT 2016
On Sat, Oct 1, 2016 at 2:12 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> John Denker <jsd at av8n.com> writes:
>
>>In general, why do we put up with this? Why, why, why?
>
> Because we have no choice. What are you going to do in order to opt out, stop
> using the web? It's a totally captive market.
>
> Note that things are run by the CA/Browser forum, not the CA/Browser/web site
> operator/end user/customer forum. The only people with a say in things are
> the ones who are making money off the whole racket, and they aren't going to
> do anything to change the status quo.
I respectfully disagree. There is action to improve the status quo.
I also do think there are members of the CA/Browser Forum who are open
to suggestions on how to make things better. But they have to work in
the world that exists.
The key challenge is how does a human using a web browser authenticate
a connection to a website that they have never previously visited?
This the core problem that browsers are trying to solve by using PKIs.
Right now the best solution is to have a third party (a CA) do checks
ahead of time and issue a signed certificate stating that they did
checks. An alternative model is DANE, where the third party signs an
identity that then certifies that a specific public key is held by the
website.
I'm very open to other solutions, work for a member of the CA/Browser
Forum, and am not known for being quiet at the Forum. Please suggest
solutions!
Thanks,
Peter
More information about the cryptography
mailing list