I'm pretty fond of the idea proposed by gpgAuth.One key to rule them
all (and one password) combined with the client verifying the
server.It's still in its infancy, but it works.
-A
(Full disclosure: I work with the creator of gpgAuth in our day jobs)
On Sun, Sep 11, 2011 at 11:47, Richard Barnes <richard.bar...@gmail.com> wrote:
> There's an app^W^Wa Working Group for that.
> <http://tools.ietf.org/wg/dane/>
>
> On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones <m...@mikejones.in> wrote:
>> On 11 September 2011 16:55, Bjørn Mork <bj...@mork.no> wrote:
>>> You can rewrite that: Trust is the CA business. Trust has a price. If
>>> the CA is not trusted, the price increases.
>>>
>>> Yes, they may end up out of business because of that price jump, but you
>>> should not neglect the fact that trust is for sale here.
>>>
>>
>> The CA model is fundamentally flawed in the fact that you have CAs
>> whose sole "trustworthiness" is the fact that they paid for an audit
>> (for Microsoft, lower requirements for others), they then issue
>> intermediate certificates to other companies (many web hosts and other
>> minor companies have them) whose sole "trustworthiness" is the fact
>> that they paid for an intermediate certificate, all of those
>> companies/organisations/people are then considered trustworthy enough
>> to confirm the identity of my web server despite the fact that none of
>> them have any connection at all to me or my website.
>>
>> There is already a chain of trust down the DNS tree, if that is
>> compromised then my SSL is already compromised (if they control my
>> domain, they can "verify" they are me and get a certificate), what
>> happened to RFC4398 and other such proposals? EV certificates have a
>> different status and probably still need the CA model, however with
>> "standard" SSL certificates the only validation done these days is
>> checking someone has control over the domain. DNSSEC deployment is
>> advanced enough now to do that automatically at the client. We just
>> need browsers to start checking for certificates in DNS when making a
>> HTTPS connection (and if one is found do client side DNSSEC validation
>> - I don't trust my ISPs DNS servers to validate something like that,
>> considering they are the ones likely to be intercepting my connections
>> in the first place!).
>>
>> It will take a while to get updated browsers rolled out to enough
>> users for it do be practical to start using DNS based self-signed
>> certificated instead of CA-Signed certificates, so why don't any
>> browsers have support yet? are any of them working on it?
>>
>> - Mike
>>
>>
>
>
