[cryptography] Let's go back to the beginning on this

James A. Donald jamesd at echeque.com
Mon Sep 12 17:48:00 EDT 2011


     --
On 2011-09-11 4:09 PM, Jon Callas wrote:
 > The bottom line is that there are places that continuity
 > works well -- phone calls are actually a good one. There
 > are places it doesn't. The SSL problem that Lucky has
 > talked about so well is a place where it doesn't. Amazon
 > can't use continuity. It is both inconvenient and insecure.

Most people who login to Amazon have a long existing relationship: 
Hence key continuity and SRP would work well.

Those few people who login for the first time generally get there by 
typing a search string into their browser.  This is reliable because DNS 
and routing are not the low hanging fruit.  When and if we fix other 
problems, and they become the low hanging fruit, then yurls will solve 
that problem.

You say that authorities are inevitable and emergent. What is a yurl, 
but everyone his own authority?

 > On the other hand, a couple browsers (I'm looking at you,
 > Firefox and especially you, Chrome) have gotten utterly
 > stupid about self-signed certificates. I have a NAS box in
 > my house that has a web management console, and spins its
 > own self-signed certificates for SSL. When I attach to it,
 > Chrome puts up a special page with danger icons and a
 > blood-red background and it says, "ZOMG! This is
 > self-signed and if you proceed, BABIES WILL DIE!" After
 > proceeding, there's a blood-red X through the lock and
 > blood-red strike-through on the "https" part of the URL.
 > Give. Me. An. Effing. Break.

Undue CA influence.




More information about the cryptography mailing list