[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]
Jacob Appelbaum
jacob at appelbaum.net
Thu Nov 10 09:41:31 PST 2011
On 11/10/2011 09:36 AM, Daniel Kahn Gillmor wrote:
> On 11/10/2011 12:14 PM, Phillip Hallam-Baker wrote:
>> For all the faults you see in the SSL/CA system the fact is that it is the
>> only application of public key cryptography that has been successful on the
>> Internet. Actual use of S/MIME, PGP and IPSEC remains negligible.
>
> The widespread deployment of X.509/CA infrastructure is *precisely* the
> reason that it's important to make sure that problems are identified,
> acknowledged, and fixed. It's not a magic wand to make the problems
> disappear.
>
I'd like to point out Ian Goldberg's fantastic work on a crypto system
that actually works in the wild:
http://www.cypherpunks.ca/otr/otr-wpes.pdf
It's not perfect but it works and it works automatically. I find that
it's more common to OTR with someone than for them to have used SSL to
connect to their chat service. Their chat service generally is not
accessed in a web browser, I might add.
All the best,
Jacob
More information about the Observatory
mailing list