On Wed, Jul 28, 2010 at 01:21:33PM +0100, Ben Laurie wrote: > On 28/07/2010 13:18, Peter Gutmann wrote: > > Ben Laurie <b...@links.org> writes: > > > >> I find your response strange. You ask how we might fix the problems, then > >> you > >> respond that since the world doesn't work that way right now, the fixes > >> won't > >> work. Is this just an exercise in one-upmanship? You know more ways the > >> world > >> is broken than I do? > > > > [...]. I'm > > after effective practical solutions, not just "a solution exists, QED" > > solutions. > > The core problem appears to be a lack of will to fix the problems, not a > lack of feasible technical solutions. > > I don't know why it should help that we find different solutions for the > world to ignore?
Solutions at higher layers might have a better chance of getting deployed. No, I'm not suggesting that we replace TLS and HTTPS with application-layer crypto over HTTP, not entirely anyways. I am suggesting that we use what little TLS does give us in ways that don't require changing TLS much or at all. Application-layer authentication with tls-server-end-point channel bindings seems like a feasible candidate. This too would require changes on clients and servers, which makes it not-that-likely to get implemented and deployed, but not changes at the TLS layer (other than an API by which to extract a TLS connection's server cert). It could be deployed incrementally such that users who can use it get better security. Then if the market gives a damn about security, it might get closer to fully deployed in our lifetimes. The assumption here is that improvements at the TLS and PKI layers occur with enormous latency. If this were true at all layers then we could just give up, or aim to fix not just today's problems, but tomorrow's, a decade or three from now (ha). It'd be nice if that assumption were not true at all. Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com