[Cryptography] SSL Certificates are expiring...

Phillip Hallam-Baker phill at hallambaker.com
Thu Feb 13 18:40:23 EST 2020


On Tue, Feb 11, 2020 at 7:43 PM Bill Frantz <frantz at pwpconsult.com> wrote:

> On 2/7/20 at 6:12 PM, matt at hezmatt.org (Matt Palmer) wrote:
>
> >On Wed, Feb 05, 2020 at 12:36:29PM +0000, Stephan Neuhaus wrote:
> >>On 1/31/20 11:08 PM, Henry Baker wrote:
> >>>I just hope that implantable medical devices can have their builtin
> certificates
> >updated!
> >>
> >>And I hope that IoT developers realise that the PKI model of
> >>trust is not a good match for (much of) IoT security.
> >
> >When all you have is a hammer, everything looks like a thumb.
>
> When you make good money selling certificates, you love the
> hammer you have.
>

I think this is an unhelpful way to think.

IoT needs a PKI. But PKIX has a bunch of assumptions built in that are
unhelpful (to say the least). Sure, we need something a bit different but
who is going to design and deploy that infrastructure?

If the assumption is CAs, then of course they are going to pick up PKIX
because (1) that is the only infrastructure their back end supports and (2)
that is the only infrastructure currently specified.

How many people do you know other than myself who is currently active
designing an alternative PKI approach? As far as I know, the answer is
zero. And at the moment, I am the only person backing the work. So we are
in Victorian lone gentleman inventor mode for your IoT PKI.

It really isn't the CAs driving this monoculture. When people wanted a BGP
PKI, they decided to start with PKIX despite the obvious fact it is the
worst match imaginable. So lots of baroque and non standard path
constraints.

They didn't need a certificate based PKI at all, they just needed a
sequence mapping IP address allocations to BGP signature keys and sign it
hourly. Every relying party needs every assignment assertion. There aren't
all that many of them (There were only 16 million class Cs) oh and they
don't change all that often. Less than once a year. But they wanted the
warm comfort of PKIX and there were no CAs involved in that choice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200213/22ef3345/attachment.htm>


More information about the cryptography mailing list