[cryptography] Let's go back to the beginning on this
James A. Donald
jamesd at echeque.com
Mon Sep 12 17:48:00 EDT 2011
On 2011-09-11 4:09 PM, Jon Callas wrote:
> The bottom line is that there are places that continuity
> works well -- phone calls are actually a good one. There
> are places it doesn't. The SSL problem that Lucky has
> talked about so well is a place where it doesn't. Amazon
> can't use continuity. It is both inconvenient and insecure.
Most people who login to Amazon have a long existing relationship:
Hence key continuity and SRP would work well.
Those few people who login for the first time generally get there by
typing a search string into their browser. This is reliable because DNS
and routing are not the low hanging fruit. When and if we fix other
problems, and they become the low hanging fruit, then yurls will solve
You say that authorities are inevitable and emergent. What is a yurl,
but everyone his own authority?
> On the other hand, a couple browsers (I'm looking at you,
> Firefox and especially you, Chrome) have gotten utterly
> stupid about self-signed certificates. I have a NAS box in
> my house that has a web management console, and spins its
> own self-signed certificates for SSL. When I attach to it,
> Chrome puts up a special page with danger icons and a
> blood-red background and it says, "ZOMG! This is
> self-signed and if you proceed, BABIES WILL DIE!" After
> proceeding, there's a blood-red X through the lock and
> blood-red strike-through on the "https" part of the URL.
> Give. Me. An. Effing. Break.
Undue CA influence.
More information about the cryptography