Re: ADMIN: end of latest SSL discussion
"Perry E. Metzger" <[EMAIL PROTECTED]> writes: >The latest round of "SSL and X.509 certs in browsers are broken" has gone on >too long. It's been a good start though. The first step towards recovery is admitting that you have a problem... Hi. My name is Peter and I have an X.509 problem. Initially it was just small things, a little PKI after lunch, maybe a digital ID after dinner and a small CRL as a nightcap. Then I discovered OCSP, and started combining low- and high-assurance certificates. It just got worse and worse. In the end I was experimenting with cross-certifying CAs and even freebasing trust anchors. One morning I woke up in bed next to a giant lizard wearing a Mozilla t-shirt and knew I had a problem. It's now been six weeks since my last PKI... Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: ADMIN: end of latest SSL discussion
-- In the SSL thread various solutions were proposed, or rather existing solutions pointed to: 1. SSH just works. So generalizing from the success of SSH, the browser should remember who you have relationships with, and the keys of the people you have relationships with. To avoid the name overload problem, those relationships should be named by Zooko's triangle, as the petname tool does, and should be a special kind of favorite, as the petname tool makes them. This requires that establishing a relationship, and verifying a shared secret, should be part of the browser chrome, as it is with SSH, rather than a particular application of generic web forms, as it is with existing practice. So when you hit a phisher, significantly different chrome comes up. 2. Phishers are after shared secrets, so secure each shared secret, and thus each relationship, with SRP-TLS-OpenSSL This also requires that establishing a relationship, and verifying a shared secret, should be part of the browser chrome, rather than a particular application of generic web forms. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 8epIQqxZ+sfUW+5ao0hWd4g/hAhRlqifZr6xWoQn 47kvMBcL6UqQ54XSgEcxbJd8xqAh2LSxufi/3IBdG - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
ADMIN: end of latest SSL discussion
The latest round of "SSL and X.509 certs in browsers are broken" has gone on too long. I kept hoping after weeks people might get bored, but they haven't. I'm cutting it off for at least a little while. I'll entertain new postings only if they propose actual solutions rather than long philosophical discussions of how we went wrong when we developed notochords or left the ocean or went bipedal or what have you. The unending rant can continue in a few weeks after I've forgotten about this one. By the way, this does not apply to any sort of actual technical discussion (like the discussion of which bignum implementations are fastest). Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]