I'm pretty fond of the idea proposed by gpgAuth.One key to rule them all (and one password) combined with the client verifying the server.It's still in its infancy, but it works. -A (Full disclosure: I work with the creator of gpgAuth in our day jobs) On Sun, Sep 11, 2011 at 11:47, Richard Barnes <richard.barnes@gmail.com> wrote:
There's an app^W^Wa Working Group for that. <http://tools.ietf.org/wg/dane/>
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones <mike@mikejones.in> wrote:
On 11 September 2011 16:55, Bjørn Mork <bjorn@mork.no> wrote:
You can rewrite that: Trust is the CA business. Trust has a price. If the CA is not trusted, the price increases.
Yes, they may end up out of business because of that price jump, but you should not neglect the fact that trust is for sale here.
The CA model is fundamentally flawed in the fact that you have CAs whose sole "trustworthiness" is the fact that they paid for an audit (for Microsoft, lower requirements for others), they then issue intermediate certificates to other companies (many web hosts and other minor companies have them) whose sole "trustworthiness" is the fact that they paid for an intermediate certificate, all of those companies/organisations/people are then considered trustworthy enough to confirm the identity of my web server despite the fact that none of them have any connection at all to me or my website.
There is already a chain of trust down the DNS tree, if that is compromised then my SSL is already compromised (if they control my domain, they can "verify" they are me and get a certificate), what happened to RFC4398 and other such proposals? EV certificates have a different status and probably still need the CA model, however with "standard" SSL certificates the only validation done these days is checking someone has control over the domain. DNSSEC deployment is advanced enough now to do that automatically at the client. We just need browsers to start checking for certificates in DNS when making a HTTPS connection (and if one is found do client side DNSSEC validation - I don't trust my ISPs DNS servers to validate something like that, considering they are the ones likely to be intercepting my connections in the first place!).
It will take a while to get updated browsers rolled out to enough users for it do be practical to start using DNS based self-signed certificated instead of CA-Signed certificates, so why don't any browsers have support yet? are any of them working on it?
- Mike