On 26/06/2011 18:34, Jonathan Thornburg wrote:
On Sun, 26 Jun 2011, Marsh Ray wrote:How about these questions: When is a centralized root list necessary and when can it be avoided? How can the quality of root CAs be improved? How can the number of root CAs be reduced in general? How can the number of root CAs be reduced in specific situations?I think the last of these is very important, because it's the difference between[today] I want to connect to https://www.bank.com or https://www.airline.com. If *any* CA in the world has falsely issued a certificate for that domain, then I could be talking to a phisher or MITM and be none the wiser. [if we used certificates a bit more wisely] I want to connect to https://www.bank.com or https://www.airline.com. If bank.com's or airline.com's CA has falsely issued a certificate for that domain, then I could be talking to a phisher or MITM and be none the wiser. The latter is far from perfect, but it's a lot better than the former. I think the ssh model ("cross your fingers the first time you connect, but then remember the info so future connections are safer if that first time was actually ok") has a lot of potential. I think there's a firefox extension that does this for certificates, but I forget its name... You may be thinking of Perspectives - www.networknotary.org/firefox.html Regards, Nicholas Bohm |
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
