On Sat, Jan 25, 2014 at 7:53 AM, Guido Witmond <[email protected]> wrote: > ... > Client certificates are part of my answer to MitM attacks. > > The other part is to forget about third-party CA's.
my heart a twitter already! (these are the key points, and you hit them first.) > See http://eccentric-authentication.org/ to read more. > > I'd love to hear comments. i've come across this on other lists, and will one day provide a better response. my initial feedback relates to: - supported suites. NULL encryption is still a valid TLS mode! - end-point security (each site acting as a CA is like every bitcoin user acting as a bank. you've elevated the threat model on the unsuspecting.) - Namecoin and other decentralized alternatives to DNSSEC. best regards,
