nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

From: Martin Millnert <millnert () gmail com>
Date: Mon, 12 Sep 2011 13:32:40 +0200
Gregory,

On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov
<greg () bestnet kharkov ua> wrote:

On Mon, 12 Sep 2011 12:12:08 +0200
Martin Millnert <millnert () gmail com> wrote:


Mike,

On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <mike () mikejones in> wrote:

It will take a while to get updated browsers rolled out to enough
users for it do be practical to start using DNS based self-signed
certificated instead of CA-Signed certificates, so why don't any
browsers have support yet? are any of them working on it?


Chrome v 14 works with DNS stapled certificates, sort of a hack. (
http://www.imperialviolet.org/2011/06/16/dnssecchrome.html )

There are other proposals/ideas out there, completely different to
DANE / DNSSEC, like http://perspectives-project.org/ /
http://convergence.io/ .


I.e. instead of a set of trusted CAs there will be one distributed net
of servers, that act as a cert storage?
I do not see how that could help...
Well, I do not even see how can one trust any certificate that is
issued by commercial organization.



As I understand it the idea is that you would have the
power/capability to assign trust yourself to friends, CAs and your
cat.  This then forms some form of (washed out word-warning) web of
trust, when you connect up with others and get their
one-step-away-trust imported.


Outsourcing trust is a pretty hard problem... there's no way to get
around it, really, so this approach (as per my limited research) at
least gives you some power to control it.

Regards,
Martin
Previous By Date Next
Previous By Thread Next

Current thread: