Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] root CA bloat



On 11/24/2014 3:20 PM, Derek Martin wrote:
> It is a practical impossibility for you (or your organization) to
> actually truly authenticate each and every entity with whom you do
> business on the Internet.  The problem is compounded by the needs of

I don't agree with the base assertion. I don't believe that it is an 
impossibility, practical or otherwise. Means to do it exist. Kerberos 
does it on a small scale. Make something like Kerberos realms integral 
to web browsers. Make doing business with Amazon a matter of creating a 
principal for Amazon in your browser profile. There you have it: 
verifiable, mutual authentication across the entire Internet.

No, that's not intended to be the solution. It's me noodling about one 
way to go about it. Yes, I'm aware that this does not solve the initial 
trust problem. Like I wrote above, I don't believe it is impossible to 
solve, only that nobody has put the effort into solving it (or if they 
have then their work has largely been ignored).

It wouldn't require a flag day. It's something that browser makers could 
implement and deploy in parallel with the existing X.509 PKI currently 
in use. X.509 could then be deprecated once the new system achieves a 
critical mass.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org