On Oct 10, 2012, at 9:09 AM, Ben Laurie <[email protected]> wrote: > On Wed, Oct 10, 2012 at 1:44 PM, Guido Witmond <[email protected]> wrote: >> Hello Everyone, >> >> I'm proposing to revitalise an old idea. With a twist. >> >> The TL;DR: >> >> 1. Ditch password based authentication over the net; >> >> 2. Use SSL client certificates instead; >> >> Here comes the twist: >> >> 3. Don't use the few hundred global certificate authorities to sign >> the client certificates. These CA's require extensive identity >> validations before signing a certificate. These certificates are >> only useful when the real identity is needed. >> Currently, passwords provide better privacy but lousy security; >> >> 4. Instead: install a CA-signer at every website that signs >> certificates that are only valid for that site. Validation >> requirement before signing: CN must be unique. > > http://tools.ietf.org/html/draft-balfanz-tls-obc-01
Or a very old, long-expired draft with the same theme: https://www.cs.columbia.edu/~smb/papers/draft-ietf-ipsra-getcert-00.txt --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
