Peter Fairbrother <zenadsl6...@zen.co.uk> writes: >On 24/09/13 05:27, Peter Gutmann wrote: >> Peter Fairbrother <zenadsl6...@zen.co.uk> writes: >>> If you just want a down-and-dirty 2048-bit FS solution which will work >>> today, >>> why not just have the websites sign a new RSA-2048 sub-certificate every >>> day? >>> Or every few hours? And delete the secret key, of course. >> >> ... and I guess that puts you firmly in the theoretical/impractical camp. >> Would you care to explain how this is going to work within the TLS protocol? > >I'm not sure I understand you.
Something that can "sign a new RSA-2048 sub-certificate" is called a CA. For a browser, it'll have to be a trusted CA. What I was asking you to explain is how the browsers are going to deal with over half a billion (source: Netcraft web server survey) new CAs in the ecosystem when "websites sign a new RSA-2048 sub-certificate". Peter. _______________________________________________ The cryptography mailing list firstname.lastname@example.org http://www.metzdowd.com/mailman/listinfo/cryptography