[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Nov 12 18:34:04 PST 2011
Ralph Holz <holz at net.in.tum.de> writes:
>You see, all these PKI problems are well-known, and no-one has come up with
>sensible solutions in the past decades.
I think as long as the industry can keep layering epicycles upon epicycles for
PKI rather than looking at, and addresing, the underlying problem, we'll never
get any real solution, or even real progress. Look at the response to the
Diginotar meltdown, it's been to add another couple of epicycles [0] and then
sit back and wait for the next, inevitable, one to hit us, the exact same
strategy that failed the previous twenty times it was tried [1].
Peter.
[0] I'm using the epicycles concept in its popularly-disseminated sense as an
analogy, not necessarily the historically correct one, which can be debated
endlessly.
[1] The most popular form of the epicycle story ascribes 80 to the Ptolemaic
system, so we have a while to go yet.
More information about the Observatory
mailing list