[cryptography] Tell Grandma to remember the Key ID and forget the phone number. [was: Re: Let's go back to the beginning on this]

John Levine johnl at iecc.com
Mon Sep 26 13:18:13 EDT 2011

>Now what you're suggesting could work if you did something like made
>some directories that stored the key IDs and web sites they belonged to.

I'm having trouble understanding how this is usefully different than
a CA.

Current scenario: you do something to persuade a CA to sign your cert.
Then browsers say you're OK, which is a problem if the CA is sloppy.

New improved scenario: you do something to persuade a directory to
list your key ID.  Then some manual or automatic process makes your
web site appear OK, which is a problem if the directory managers are

What am I missing here?  This all boils down to the introduction
problem, how do you persuade one party that a second party who they
don't know yet is OK.  It's always the weak link in any security model
which has a perimiter with nice people inside and unknown or nasty
people outside.


More information about the cryptography mailing list