[Cryptography] SSL Certificates are expiring...
Bill Frantz
frantz at pwpconsult.com
Fri Feb 14 16:43:26 EST 2020
On 2/13/20 at 6:40 PM, phill at hallambaker.com (Phillip
Hallam-Baker) wrote:
>On Tue, Feb 11, 2020 at 7:43 PM Bill Frantz <frantz at pwpconsult.com> wrote:
>
>>...
>>
>>When you make good money selling certificates, you love the
>>hammer you have.
>>
>
>I think this is an unhelpful way to think.
Phillip and I will perhaps have to agree to disagree. I have
always objected to having to rely on a "Trusted Third Party"
(TTP) to validate any web connection. When I deal with
individuals and businesses outside of the computer
communications world, I use the model of recognition, not
attestation. I may buy something inexpensive to start developing
trust in my counter-party. I'll use the physical location or
face as an anchor for that developing trust, not a TTP.
For the web, I would like to have my trust anchor for a site be
through a key it controls, not a CA. When I go to a site using a
CA as a trust anchor, I will keep my financial and secret data
exposure low until I have some transaction experience. I want to
know I'm talking to the same site I was talking to when I
developed the trust I have, not a intruder site attested to by
an untrustworthy TTP. (Do browsers still have over 80 trust anchors?)
I think we have the current system because that was the only
system people could build a business model around, and that the
need to support that business model was reflected in
contributions to the standards bodies.
>IoT needs a PKI. But PKIX has a bunch of assumptions built in that are
>unhelpful (to say the least). Sure, we need something a bit different but
>who is going to design and deploy that infrastructure?
Phillip may have meant the following, but here's my take for clarity.
It seems to me that an IoT device doesn't need a traditional
PKI. It needs to validate the devices it talks to -- the light
switch and the bulbs need to validate each other, which is
better done through direct introduction. The phone app which
allows remote control should be verifying the device using the
public key pair built into it.
When the IoT device talks to the mother ship to upload your
behavior profile, it would be better to include the necessary
public keys in the device when it is purchased.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"Web security is like medicine - trying to
do good for
408-348-7900 |an evolved body of kludges" - Mark Miller
www.pwpconsult.com |
More information about the cryptography
mailing list