> We could have an implementation ready within a year. No offense, but how long do you think it will be before Oracle/IBM/<insert-enterprise-tech-company-here> adopts your standard? I'm all for PKI alternatives, but your solution is easily a decade away from replacing X.509.
Daniel On Mon, Aug 18, 2014 at 2:27 PM, Tao Effect <[email protected]> wrote: > Sorry, I should have addressed a relevant comment you made: > > Unfortunately, it seems like any sort of PKI alternative is years if > not decades away, so I began brainstorming short-to-mid-term solutions > to this problem. > > > I do not believe this is the case. > > We could have an implementation ready within a year. We just developers > people to do it. I am doing my best to extend my time and development > efforts to making this a reality, but I definitely could use help. Please > let me know if you are interested! > > Sincerely, > Greg > > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > On Aug 18, 2014, at 7:25 PM, Tao Effect <[email protected]> wrote: > > Free SSL certs is a great thing, and in that spirit I extend to you my > half-hearted support for calling on [whoever] to issue free certificates. > > My support is half-hearted, however, because money is not the only problem > with X.509. > > The main problem with X.509 is that it is insecure. > > X.509 is fundamentally broken. It cannot be patched. > > We need to replace X.509 with something that actually offers security and > usability to users and sysadmins alike. > > The blockchain is the best known solution as far as replacements for X.509 > go. > > See more info in this README: > > https://github.com/okTurtles/dnschain/blob/master/README.md > > Kind regards, > Greg Slepak > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > On Aug 18, 2014, at 7:13 PM, Daniel Roesler <[email protected]> wrote: > > Howdy all, I'm not sure if this is within the scope of this forum, so > please ignore it if it is. > > A month ago, I proposed that Firefox should change its generic http > icon to be a broken lock[1]. This would offer a bit of negative > feedback for websites that do not use https and hopefully encourage > them switching to https. This was obviously a big ask, and it sparked > quite extensive discussions in both the Mozilla[2] and Chromium[3] > security mailing lists. Most people were sympathetic to the goal, but > the bug eventually got closed as Verified Wontfix. > > Anyway, two of the recurring arguments against the proposal were: > > 1) SSL Certificates are expensive. > 2) Certificate Authorities are a racket. > > I don't necessarily see these as deal breakers to being more > aggressive with https adoption, but I can understand where these > arguments are coming from. StartCom offers a free certificate, but you > have to pay to have it revoked, and a lot people got burned on that > during Heartbleed (including me). I'm not aware of anyone else who > offers a free SSL Certificate, even with the revocation gotcha. So I > can see how the perception is that certs are a cost that isn't worth > it for your personal blog or random side project site. Also, I can > sympathize with the perception that CAs are racket because they all > come across as pretty scammy with their upsells and add-ons that don't > actually add much. > > Unfortunately, it seems like any sort of PKI alternative is years if > not decades away, so I began brainstorming short-to-mid-term solutions > to this problem. > > I started by looking at the default root certificate repositories that > the major browsers and operating systems use. They are mostly your > regular list of CAs and governments, but there's one name that popped > out as unique: AOL. > > America Online has two legacy certificates[4] in the Microsoft[5], > Apple[6], NSS[7], and Android[8] default list of root CAs. I'm > assuming this is from back when AIM as all the rage, but remarkably > AOL has been keeping up the audits[9] for them. Does anyone have any > more info on the history of these certs? > > I think might be a great opportunity to address the two problems > above. Could AOL start offering free SSL Certificates? > > Pros: > 1) Their root certificates are already in everyone's list (backwards > compatibility). > 2) Their core business model is not issuing certificates (not seen as a > racket). > 3) They would get a huge press coverage for being a "savior of HTTPS" > or some such spin (positive spotlight for AOL). > 4) There would now be competition in the free SSL cert market (maybe > other CAs would start offering free options, too). > > Cons: > 1) This would be a cost for AOL. Perhaps other tech companies could > partner with them to subsidize the cost of issuing the certificate? > Perhaps there could be kickstarter to pay for the costs? Perhaps AOL > could spin off a non-profit foundation or donate the certificates to > Mozilla? > 2) Unforseen technical problems associated with starting to chain to a > certificate that hasn't been in active use for a long time. I have no > idea what these could be. Thoughts? > 3) SSL certs would likely be issued with no warranty (since they are > free). Not a deal breaker in my opinion, because the scope for these > could be for non-commercial use. > > Anyway, just tossing out this idea for feedback. There's no sense in > pursuing this further if there's technical reasons making this > impossible. Also, does anyone know anyone who works at AOL? > > -Daniel > > [1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1041087 > [2] - > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/iU86qMOwvWs > [3] - > https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/rGM2oiKZqZU > [4] - https://pki-info.aol.com/AOL/ > [5] - > https://social.technet.microsoft.com/wiki/contents/articles/14216.windows-and-windows-phone-8-ssl-root-certificate-program-april-2012-a-d.aspx > [6] - http://support.apple.com/kb/HT5012 > [7] - > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ > [8] - > https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/2fb1850a.0 > [9] - https://pki-info.aol.com/AOL/2013_AOLRoot_Audit_Attestation.pdf > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > > > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
