[13742] in cryptography@c2.net mail archive
Re: Mozilla tool to self-verify HTTPS site
daemon@ATHENA.MIT.EDU (Marc Branchaud)
Mon Jun 30 21:02:56 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Jun 2003 15:51:55 -0700
From: Marc Branchaud <marcnarc@rsasecurity.com>
To: iang@systemics.com
Cc: Victor.Duchovni@morganstanley.com, cryptography@metzdowd.com
In-Reply-To: <3EF9845D.16D830EC@systemics.com>
Ian Grigg wrote:
>
> Tying the certificate into the core crypto protocol seems to be a
> poor design choice; outsourcing any certification to a higher layer
> seems to work much better out in the field.
I'll reserve judgement about the significance of SSLBar, but I couldn't
agree more with the above point. The only way to use non-X.509 certs
with TLS 1.0 is by rather clunkily extending the ciphersuites to also
identify some kind of certificate type.
IMO, this fact has significantly contributed to the lack of adoption of
PGP, SPKI, and alternative PKIs on the Internet.
TLS's new extension mechanism can help address this (see
draft-ietf-tls-openpgp-keys), but it'll be a while before extension
support is common.
M.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
