On Mon, 2 Aug 2010, Perry E. Metzger wrote:
For example, in the internet space, we have http, smtp, imap and other protocols in both plain and ssl flavors. (IPSec was originally intended to mitigate this by providing a common security layer for everything, but it failed, for many reasons. Nico mentioned one that isn't sufficiently appreciated, which was the lack of APIs to permit binding of IPSec connections to users.)
If that was a major issue, then SSL would have been much more successful then it has been. I have good hopes that soon we'll see use of our new biggest cryptographically signed distributed database. And part of the signalling can come in via the AD bit in DNSSEC (eg by adding an EDNS option to ask for special additional records signifying "SHOULD do crypto with this pubkey") The AD bit might be a crude signal, but it's fairly easy to implement at the application level. Requesting specific additional records will remove the need for another latency driven DNS lookup to get more crypto information. And obsolete the broken CA model while gaining improved support for SSL certs by removing all those enduser warnings. Paul --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
