[141165] in cryptography@c2.net mail archive
Re: Security by asking the drunk whether he's drunk
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Dec 26 23:42:43 2008
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: adam@homeport.org, dan@geer.org
Cc: cryptography@metzdowd.com
In-Reply-To: <20081223222307.E4DAE33F4B@absinthe.tinho.net>
Date: Fri, 26 Dec 2008 20:39:50 +1300
dan@geer.org writes:
>I'm hoping this is just a single instance but it makes you remember that the
>browser pre-trusted certificate authorities really needs to be cleaned up.
Given the more or less complete failure of commercial PKI for both SSL web
browsing and code-signing (as evidenced by the multibillion-dollar cybercrime
industry freely doing all the things that SSL certs and code-signing were
supposed to prevent them from doing), it's not so much "cleaned up" as
"replaced with something that may actually work". Adding support for a
service like Perspectives (discussed here a month or two back) would be a good
start since it provides some of the assurance that a commercial PKI can't (and
as an additional benefit it also works for SSH servers, since it's not built
around certificates).
So, when will Google add Perspectives support to their search database? :-).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
