[Cryptography] distrusted root CA: WoSign
Ben Laurie
ben at links.org
Sat Oct 1 18:02:19 EDT 2016
On 1 October 2016 at 10:12, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> John Denker <jsd at av8n.com> writes:
>
>>In general, why do we put up with this? Why, why, why?
>
> Because we have no choice. What are you going to do in order to opt out, stop
> using the web? It's a totally captive market.
>
> Note that things are run by the CA/Browser forum, not the CA/Browser/web site
> operator/end user/customer forum. The only people with a say in things are
> the ones who are making money off the whole racket, and they aren't going to
> do anything to change the status quo.
I am so sick of this lame rhetoric. What is your proposed solution?
Put up or shut up.
More polite version: yes, it is a hard problem, but how do you solve
it without some kind of central authority? On what basis can the end
user validate a certificate, other than some authority doing it on
their behalf? Of course I think that adding transparency to those
authorities is a major win, but other than that, where do you go?
Alternatives like DANE are just shuffling the deck chairs on the
Titanic. What can you do that is radically better than CAs +
transparency?
More information about the cryptography
mailing list