On 09/07/13 05:19, ianG wrote:
If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0].
unfortunately as far as SSL domain name certificate ... the domain name infrastructure is the authoritative agency for domain name ownership ... the SSL domain name certification agencies have to rely on the domain name infrastructure to validate true ownership for SSL domain name applications. As I've repeatedly referenced ... this puts the CAs in catch22 ... they need improved integrity of domain name infrastructure (attacks on ownership records of domain name ownership and then being issued valid SSL certificate) ... which comes with lots of DNSSEC ... but that also eliminates much of the need for SSL domain certificates. as per prior reference about original working on SSL for electronic commerce ... at least for the financial industry I've repeatedly shown that digital certificates were redundant and superfluous. I also shown that at the time, the addition of digital certificates increased the payload size by two orders of magnitude (besides being redundant and superfluous). That apparently motivated the "compressed" digital certificate financial standard effort ... trying to reduce digital certificates so that the payload bloat was only ten times (instead of hundred times) ... in large part by eliminating all information that the processing institution already had. I demonstrated that processing institution would have all information and therefor digital certificates could be reduced to zero bytes ... so instead of eliminating redundant and superfluous digital certificates ... it was possible to mandate that zero byte certificates be appended to every transaction (it would be possible to digitally "sign" a payment transaction for authentication ... and rely on the individual's financial institution to have registered the person's public key ... w/o having to increase the size of every payment transaction in the world by 100 times just to transmit a redundant and superfluous appended digital certificate). I like the interchange at panel discussion in early 90s ACM SIGMOD ballroom open session, somebody in the audience asked what was all this x.5xx stuff about and one of the panelists said it was a bunch of networking engineers trying to reinvent 1960s database technology. there was some amount of participation by the information assurance directorate in financial industry standards meetings. at various times there were references to rifts between IA and SIGINT ... but for all I know that may be kabuki theater. I was fairly vocal about any backdoors could put financial industry at risk for bad guys discovering the vulnerabilities ... and wanted KISS applied to as much as possible (and backdoors forbidden) there are other agendas in much of this. at the start of the century there were several "safe" internet payment products pitched to major merchants (accounting for 70% of internet transactions) which got high acceptance. Merchants have been indoctrinated for decades that a large part of interchange fee is proportional to associated fraud rate ... and the merchants were expecting an order of magnitude reduction in their fees (with the safe products). Then came the cognitive dissonance when the banks told the merchants that rather than major reduction in interchange fees with the "safe" payment products ... there would effectively be a surcharge added to the highest fee that they were already paying (and all the safe efforts collapse). Part of the issue was that the bottom line for large issuing banks was 40%-60% from these fees and an order of magnitude reduction in those fees would be a big hit to their bottom line (the size of fees in part justified by fraud rates). The "safe" products going a long way to eliminating most fraud and commoditizing the payment transaction business ... which would also lower the bar for entry by competition. -- virtualization experience starting Jan1968, online at home since Mar1970 _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography