[Cryptography] Google distrusts Symantec for mis-issuing 30, 000 HTTPS certs
Thierry Moreau
thierry.moreau at connotech.com
Sat Mar 25 09:48:37 EDT 2017
On 24/03/17 10:55 PM, Henry Baker wrote:
>
> Perhaps my questions weren't clear.
>
> What I really want to know is: in the evolution of the internet, how did we come to the point where I have to trust a single choke-point of failure [...] in order to transact any business?
>
The PKC (public key crypto) security certificate technology was never
taught with any sensible user mental model.
If it had been, there would be a trust anchor editor in our systems and
you and I, even only as expert users, would be inclined to add and
remove entries. Furthermore, the edited trust anchor set would be
applied to new browser installations (as a typical recommended
installation step), and carried to a new laptop, just like our contact list.
Delegation of trust anchor set management to some user-selected entity
would likely be prevalent (e.g. employer organization, ISP, ...) but the
trust anchor editor tools used by the management entity would remain
available if the user revokes the delegation.
In the times when this should have been put in place, the fashionable
issues (e.g. key size recommendations, RSA vs ECC) were obfuscating the
core technology ingredients.
- Thierry Moreau
More information about the cryptography
mailing list