[cryptography] Client TLS Certificates - why not?

StealthMonger StealthMonger at nym.mixmin.net
Wed Mar 6 06:33:34 EST 2013

Hash: SHA1

"James A. Donald" <jamesd at echeque.com> writes:

> On 2013-03-06 4:41 AM, StealthMonger wrote:
>> 2. Prospective customer verification of merchant: Merchant includes
>> the ID of its signing key in every advertisement and repeatedly
>> admonishes prospects to "Accept No Substitutes".

> The key, and the hash of the key, is a long string of random
> gibberish.  It should not be visible to end users.  Experience
> demonstrates that showing it repels 99% of end users.

Merchant includes its telephone number in every advertisement and
repeatedly admonishes prospects to call.

The telephone number may be a long string of random digits.  Yet end
users understand that they have to use it if they want to follow up.

Your only argument is that the key ID is "longer" or more "random".  A
solution is redesign of the hash code so it doesn't have to be so long
plus maybe merchant generating and discarding lots of keys until
stumbling on one with a pronounceable hash.

These are not easily accomplished, but they would enable slaying the
CA dragon.

- -- 

 -- StealthMonger <StealthMonger at nym.mixmin.net>
    Long, random latency is part of the price of Internet anonymity.

   anonget: Is this anonymous browsing, or what?

   stealthmail: Hide whether you're doing email, or when, or with whom.
   mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html

Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.9 <http://mailcrypt.sourceforge.net/>


More information about the cryptography mailing list