Sorry, I should have addressed a relevant comment you made: > Unfortunately, it seems like any sort of PKI alternative is years if > not decades away, so I began brainstorming short-to-mid-term solutions > to this problem.
I do not believe this is the case. We could have an implementation ready within a year. We just developers people to do it. I am doing my best to extend my time and development efforts to making this a reality, but I definitely could use help. Please let me know if you are interested! Sincerely, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Aug 18, 2014, at 7:25 PM, Tao Effect <[email protected]> wrote: > Free SSL certs is a great thing, and in that spirit I extend to you my > half-hearted support for calling on [whoever] to issue free certificates. > > My support is half-hearted, however, because money is not the only problem > with X.509. > > The main problem with X.509 is that it is insecure. > > X.509 is fundamentally broken. It cannot be patched. > > We need to replace X.509 with something that actually offers security and > usability to users and sysadmins alike. > > The blockchain is the best known solution as far as replacements for X.509 go. > > See more info in this README: > > https://github.com/okTurtles/dnschain/blob/master/README.md > > Kind regards, > Greg Slepak > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > On Aug 18, 2014, at 7:13 PM, Daniel Roesler <[email protected]> wrote: > >> Howdy all, I'm not sure if this is within the scope of this forum, so >> please ignore it if it is. >> >> A month ago, I proposed that Firefox should change its generic http >> icon to be a broken lock[1]. This would offer a bit of negative >> feedback for websites that do not use https and hopefully encourage >> them switching to https. This was obviously a big ask, and it sparked >> quite extensive discussions in both the Mozilla[2] and Chromium[3] >> security mailing lists. Most people were sympathetic to the goal, but >> the bug eventually got closed as Verified Wontfix. >> >> Anyway, two of the recurring arguments against the proposal were: >> >> 1) SSL Certificates are expensive. >> 2) Certificate Authorities are a racket. >> >> I don't necessarily see these as deal breakers to being more >> aggressive with https adoption, but I can understand where these >> arguments are coming from. StartCom offers a free certificate, but you >> have to pay to have it revoked, and a lot people got burned on that >> during Heartbleed (including me). I'm not aware of anyone else who >> offers a free SSL Certificate, even with the revocation gotcha. So I >> can see how the perception is that certs are a cost that isn't worth >> it for your personal blog or random side project site. Also, I can >> sympathize with the perception that CAs are racket because they all >> come across as pretty scammy with their upsells and add-ons that don't >> actually add much. >> >> Unfortunately, it seems like any sort of PKI alternative is years if >> not decades away, so I began brainstorming short-to-mid-term solutions >> to this problem. >> >> I started by looking at the default root certificate repositories that >> the major browsers and operating systems use. They are mostly your >> regular list of CAs and governments, but there's one name that popped >> out as unique: AOL. >> >> America Online has two legacy certificates[4] in the Microsoft[5], >> Apple[6], NSS[7], and Android[8] default list of root CAs. I'm >> assuming this is from back when AIM as all the rage, but remarkably >> AOL has been keeping up the audits[9] for them. Does anyone have any >> more info on the history of these certs? >> >> I think might be a great opportunity to address the two problems >> above. Could AOL start offering free SSL Certificates? >> >> Pros: >> 1) Their root certificates are already in everyone's list (backwards >> compatibility). >> 2) Their core business model is not issuing certificates (not seen as a >> racket). >> 3) They would get a huge press coverage for being a "savior of HTTPS" >> or some such spin (positive spotlight for AOL). >> 4) There would now be competition in the free SSL cert market (maybe >> other CAs would start offering free options, too). >> >> Cons: >> 1) This would be a cost for AOL. Perhaps other tech companies could >> partner with them to subsidize the cost of issuing the certificate? >> Perhaps there could be kickstarter to pay for the costs? Perhaps AOL >> could spin off a non-profit foundation or donate the certificates to >> Mozilla? >> 2) Unforseen technical problems associated with starting to chain to a >> certificate that hasn't been in active use for a long time. I have no >> idea what these could be. Thoughts? >> 3) SSL certs would likely be issued with no warranty (since they are >> free). Not a deal breaker in my opinion, because the scope for these >> could be for non-commercial use. >> >> Anyway, just tossing out this idea for feedback. There's no sense in >> pursuing this further if there's technical reasons making this >> impossible. Also, does anyone know anyone who works at AOL? >> >> -Daniel >> >> [1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1041087 >> [2] - >> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/iU86qMOwvWs >> [3] - >> https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/rGM2oiKZqZU >> [4] - https://pki-info.aol.com/AOL/ >> [5] - >> https://social.technet.microsoft.com/wiki/contents/articles/14216.windows-and-windows-phone-8-ssl-root-certificate-program-april-2012-a-d.aspx >> [6] - http://support.apple.com/kb/HT5012 >> [7] - >> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ >> [8] - >> https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/2fb1850a.0 >> [9] - https://pki-info.aol.com/AOL/2013_AOLRoot_Audit_Attestation.pdf >> _______________________________________________ >> Messaging mailing list >> [email protected] >> https://moderncrypto.org/mailman/listinfo/messaging >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
