> There are *lots* of TLS extensions that eliminate or obviate the need for the > (horrible) PKIX trust model as deployed. For example, TLS PSK, TLS-SRP, the > PGP method you've found, and others.
Sure .. however as far as I understand the IETF has only 2 _cert_ schemes sanctioned: x509 and OpenPGP, and of those only OpenPGP has a decentralized trust model. > > Right now, none are useful in a browser, but personally I have high hopes for Which is the main roadblocker to adoption .. right. > raw keys, trust-anchored by DNSSEC via RFC 6698. In this model, X.509 is > essentially just a payload format for certs - the entire trust model is > unused. DNSSEC seems to follow a centralized/hierachical trust model. Won't help. The NSA will (does?) own those. > > [Sidenote: if not, one more reason why a pure Python TLS > > Such as tlslite? That could be a good start: it would take a community effort to scrutinize, security review and robustify for production. The monoculture of OpenSSL is no good IMHO. /Tobias > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
