[Cryptography] SSL Certificates are expiring...

Bill Frantz frantz at pwpconsult.com
Fri Feb 14 16:43:26 EST 2020 

On 2/13/20 at 6:40 PM, phill at hallambaker.com (Phillip 
Hallam-Baker) wrote:

>On Tue, Feb 11, 2020 at 7:43 PM Bill Frantz <frantz at pwpconsult.com> wrote:
>
>>...
>>
>>When you make good money selling certificates, you love the
>>hammer you have.
>>
>
>I think this is an unhelpful way to think.

Phillip and I will perhaps have to agree to disagree. I have 
always objected to having to rely on a "Trusted Third Party" 
(TTP) to validate any web connection. When I deal with 
individuals and businesses outside of the computer 
communications world, I use the model of recognition, not 
attestation. I may buy something inexpensive to start developing 
trust in my counter-party. I'll use the physical location or 
face as an anchor for that developing trust, not a TTP.

For the web, I would like to have my trust anchor for a site be 
through a key it controls, not a CA. When I go to a site using a 
CA as a trust anchor, I will keep my financial and secret data 
exposure low until I have some transaction experience. I want to 
know I'm talking to the same site I was talking to when I 
developed the trust I have, not a intruder site attested to by 
an untrustworthy TTP. (Do browsers still have over 80 trust anchors?)

I think we have the current system because that was the only 
system people could build a business model around, and that the 
need to support that business model was reflected in 
contributions to the standards bodies.


>IoT needs a PKI. But PKIX has a bunch of assumptions built in that are
>unhelpful (to say the least). Sure, we need something a bit different but
>who is going to design and deploy that infrastructure?

Phillip may have meant the following, but here's my take for clarity.

It seems to me that an IoT device doesn't need a traditional 
PKI. It needs to validate the devices it talks to -- the light 
switch and the bulbs need to validate each other, which is 
better done through direct introduction. The phone app which 
allows remote control should be verifying the device using the 
public key pair built into it.

When the IoT device talks to the mother ship to upload your 
behavior profile, it would be better to include the necessary 
public keys in the device when it is purchased.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"Web security is like medicine - trying to 
do good for
408-348-7900       |an evolved body of kludges" - Mark Miller
www.pwpconsult.com |

More information about the cryptography mailing list