[cryptography] PKI "fixes" that don't fix PKI (part III)

James A. Donald jamesd at echeque.com
Fri Sep 9 00:23:16 EDT 2011

On 2011-09-09 9:11 AM, Lucky Green wrote:
> - while it is possible to build communication systems that use some of
> the components of the SSL system that withstand governmental security
> services interception (I have designed and deployed such systems
 > myself)


> an entirely different system in which each
> SSL certificate seen by a browser is sent up to the browser vendor
> checking for consistency. The first few visitors to a website would be
> exposed to a higher risk,

No one is much interested in attacking a website when it first comes up, 
only when it already has a significant user base, thus should be safe 
for everyone.

> Overall, such a system would likely be safe enough to meet
> the design goal for Internet users to be able to send their credit card
> information over the network with fraud rates due to interception being
> on par or lower than card present transactions. Yet this is not fixing
> PKI. This is throwing PKI overboard and designing an entirely different
> system from the ground up.

Can't fix PKI.  Needs wholesale replacement.

More information about the cryptography mailing list