[cryptography] Tell Grandma to remember the Key ID and forget the phone number. [was: Re: Let's go back to the beginning on this]
johnl at iecc.com
Mon Sep 26 13:18:13 EDT 2011
>Now what you're suggesting could work if you did something like made
>some directories that stored the key IDs and web sites they belonged to.
I'm having trouble understanding how this is usefully different than
Current scenario: you do something to persuade a CA to sign your cert.
Then browsers say you're OK, which is a problem if the CA is sloppy.
New improved scenario: you do something to persuade a directory to
list your key ID. Then some manual or automatic process makes your
web site appear OK, which is a problem if the directory managers are
What am I missing here? This all boils down to the introduction
problem, how do you persuade one party that a second party who they
don't know yet is OK. It's always the weak link in any security model
which has a perimiter with nice people inside and unknown or nasty
More information about the cryptography