[cap-talk] A petname toolbar for Firefox
Ian G
iang at systemics.com
Fri Feb 18 22:49:17 EST 2005
Ka-Ping Yee wrote:
>On Sat, 19 Feb 2005, [iso-8859-1] Tyler Close wrote:
>
>
>>Under HTTPS, the end entity certificate typically has a lifetime of only
>>1 year. The only persistent identifier for the site is the ( domain
>>name, CA public key ) pair.
>>
>>
>
>I see. That makes more sense now. But why do you go all the
>way up to the root instead of just one level to the CA that
>issued the site's certificate? I thought the root's certificate
>only vouches for the identity of its subject, not for the
>subject's trustworthiness (and all its descendants' trustworthiness)
>at managing its namespace. I guess i'm unclear on exactly what
>commitment is represented by a certificate higher in the chain.
>
>
At the technical level, I don't see how you
can ever say that any of those higher certs
will say anything other than what is in the
cert itself. I.e., that domain, and maybe those
other details.
Otherwise, you'd be asking the tech to
interpret meat space documents, and we
don't have a good theory for that yet.
(Although we have a fine conference and
some papers from this group ;)
>>The above, among other reasons, is why petnames are much more powerful
>>when used in tandem with HTTPSY. Perhaps we can get there in stages.
>>
>>
>
>It seems to me that the phishing problem would be much easier
>to solve if we encouraged all sites to use self-signed certificates
>and switched browsers to use HTTPS by default before falling back
>to HTTP.
>
>
Amen to that. But the technical community
will dig their heels in over that one. However,
here's the thing: *IF* we can get the browsers
to display the CAs, then a later, future, small
step is to get them to display the self-signed
nature of a non-CA cert. At that point, there
would be an easing of resistance to the notion
of self-signed certs. So my current strategy is
to stay moot on the subject of self-signed certs.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the cap-talk
mailing list