On 02/06/2012 23:53, Chad Perrin wrote: > In fact, many of the weaknesses of SSL systems as currently designed > could be obviated by having used OpenPGP as the basis of the system > rather than creating this whole PKI system for the sole purpose of making > corporate CAs seem "necessary" as imaginary authorities who claim to be > able to provide special "security" guarantees.
There's very interesting work going on at the moment about publishing SSL keys or fingerprints via DNSSEC-secured DNS. See: http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec https://tools.ietf.org/html/draft-ietf-dane-protocol-21 So anyone in control of a DNS domain and capable of enabling DNSSEC can issue themselves authenticable TLS certificates without having to line the pockets of the CAs. Server-side, support for the TLSA RR type this is all based on was added to the last update of BIND, which hit stable on Friday. Client side, support is available in Chrome and FireFox by various means. Other than throwing a big spanner into the works for the whole CA business model, this moves the responsibility for identifying the site owner from the CA to the DNS Registrar[*]. While the normal mode will be to have authenticity assured from the root, this does in principle permit any number of DLV-style trust anchors. Whether that can be parlayed into PGP style web-of-trust is an interesting question. Cheers, Matthew [*] It's not hard to convince a DNS Registrar that you should have the rights to a domain name -- you just keep giving them money. -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey
signature.asc
Description: OpenPGP digital signature
