[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

James A. Donald jamesd at echeque.com
Thu Jul 14 01:04:46 EDT 2011

> Ian G wrote:
> > The chances of them approving or agreeing to EKE are next to nil.
> >
> > The problem with Mozilla security
> > coding is more this: most (all?) of the programmers who work in that
> > area are all employees of the big software providers. And they all
> > have a vested interest in working for the status quo, all are opposed
> > to any change.

On 2011-07-14 10:41 AM, Brian Smith wrote:
> * https://wiki.mozilla.org/Identity/Features/Verified_Email_Service
>    https://wiki.mozilla.org/Identity/Verified_Email_Protocol
> * https://wiki.mozilla.org/Security/DNSSEC-TLS
>    https://bugzilla.mozilla.org/show_bug.cgi?id=589537
> * http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg10018.html
>    https://bugzilla.mozilla.org/show_bug.cgi?id=532127
>    https://bugzilla.mozilla.org/show_bug.cgi?id=405155
>    https://bugzilla.mozilla.org/show_bug.cgi?id=356855

Perhaps you think these links suggest that mozilla is not in the pocket 
of the CAs, in that some people at mozilla are attempting to make DNSEC 
actually useful.

But they are going to make it useful by making the DNS into a super CA. 
  You are still going to have to buy your certificate from an existing 
CA, and the DNS system will bless it.

This like designing a bicycle with three and half wheels.  Any 
restructuring that makes DNSSEC useful would make the CAs useless.  The 
goal of their design is not to make DNSSEC useful, but to make it useful 
in a fashion that does not harm the CA business model.

More information about the cryptography mailing list