On Wed, Sep 21, 2011 at 11:30 AM, ianG <[email protected]> wrote: > It's a good term! Add my use: There is a universal implicit > cross-certification in the secure browsing PKI, and the industry knows it, > or should know it. > > Indeed, we can show evidence of this in Chrome's CA pinning.
I had assumed everyone understood that universal implicit cross-certification — or, from another point of view, the lack of constraints on a signer's authority, such as name constraints or jurisdictional constraints — was the most burningly obvious problem in browser PKI. (The clown-town semantics of X.509 are a close second, of course.) But, then, I also assumed that the usability failure was apparent to everyone as well — K6 indeed! (Can you imagine soldiers under fire trying to figure out if their browser is talking to the right HQ? Makes flipping to the right page in the OTP codebook seem trivially easy by comparison.) -- "These days, though, you have to be pretty technical before you can even aspire to crudeness." — William Gibson _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
