[144443] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Martin Millnert)
Mon Sep 12 07:33:26 2011
In-Reply-To: <20110912142317.7d4008a8@greg.bestnet.kharkov.ua>
Date: Mon, 12 Sep 2011 13:32:40 +0200
From: Martin Millnert <millnert@gmail.com>
To: Gregory Edigarov <greg@bestnet.kharkov.ua>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Gregory,
On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov
<greg@bestnet.kharkov.ua> wrote:
> On Mon, 12 Sep 2011 12:12:08 +0200
> Martin Millnert <millnert@gmail.com> wrote:
>
>> Mike,
>>
>> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <mike@mikejones.in> wrote:
>> > It will take a while to get updated browsers rolled out to enough
>> > users for it do be practical to start using DNS based self-signed
>> > certificated instead of CA-Signed certificates, so why don't any
>> > browsers have support yet? are any of them working on it?
>>
>> Chrome v 14 works with DNS stapled certificates, sort of a hack. (
>> http://www.imperialviolet.org/2011/06/16/dnssecchrome.html )
>>
>> There are other proposals/ideas out there, completely different to
>> DANE / DNSSEC, like http://perspectives-project.org/ /
>> http://convergence.io/ .
>
> I.e. instead of a set of trusted CAs there will be one distributed net
> of servers, that act as a cert storage?
> I do not see how that could help...
> Well, I do not even see how can one trust any certificate that is
> issued by commercial organization.
As I understand it the idea is that you would have the
power/capability to assign trust yourself to friends, CAs and your
cat. This then forms some form of (washed out word-warning) web of
trust, when you connect up with others and get their
one-step-away-trust imported.
Outsourcing trust is a pretty hard problem... there's no way to get
around it, really, so this approach (as per my limited research) at
least gives you some power to control it.
Regards,
Martin
