[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]

Sat Nov 12 18:34:04 PST 2011

Ralph Holz <holz at net.in.tum.de> writes:

>You see, all these PKI problems are well-known, and no-one has come up with 
>sensible solutions in the past decades. 

I think as long as the industry can keep layering epicycles upon epicycles for 
PKI rather than looking at, and addresing, the underlying problem, we'll never 
get any real solution, or even real progress.  Look at the response to the 
Diginotar meltdown, it's been to add another couple of epicycles [0] and then 
sit back and wait for the next, inevitable, one to hit us, the exact same 
strategy that failed the previous twenty times it was tried [1].

Peter.

[0] I'm using the epicycles concept in its popularly-disseminated sense as an
    analogy, not necessarily the historically correct one, which can be debated
    endlessly.
[1] The most popular form of the epicycle story ascribes 80 to the Ptolemaic 
    system, so we have a while to go yet.