[148182] in cryptography@c2.net mail archive
Re: [Cryptography] Moving forward on improving HTTP's security
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Fri Nov 15 12:59:54 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAHOTMVJ=rhGhgeZ6a4aLKOcRwvj7CpnXF64+V4XH4GPVxjzrVA@mail.gmail.com>
Date: Thu, 14 Nov 2013 20:04:20 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: Greg <greg@kinostudios.com>, John Kelsey <crypto.jmk@gmail.com>,
Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4119906173155536385==
Content-Type: multipart/alternative; boundary=089e0160b420368fe004eb2cc786
--089e0160b420368fe004eb2cc786
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Nov 14, 2013 at 2:50 PM, Tony Arcieri <bascule@gmail.com> wrote:
> On Wed, Nov 13, 2013 at 9:46 PM, Greg <greg@kinostudios.com> wrote:
>>
>> The basics would be to not use the CAs. Working on rest of details,
>> they're mostly finished, just gotta make 'em nice 'n pretty. And some code
>> would be good, too.
>>
>
> And what of other solutions like CT or Tack?
>
> Given Google's power to influence change via Chrome and its share of the
> browser market, I think we'll see CT as the the primary solution for what
> ails the existing PKI.
>
How does CT prevent coding errors in browsers? in Adobe Flash?
How does CT prevent network managers losing their keys or exporting the
private component and sending it to someone as an attachment?
How does CT shut down a party that legitimately obtains a certificate and
then acts maliciously?
There are many issues with the Web PKI. The biggest one is actually the
fact that most of the browsers make reducing connection latency a higher
priority than processing certificate revocation properly.
--
Website: http://hallambaker.com/
--089e0160b420368fe004eb2cc786
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Thu, Nov 14, 2013 at 2:50 PM, Tony Arcieri <span dir=3D"ltr"><=
;<a href=3D"mailto:bascule@gmail.com" target=3D"_blank">bascule@gmail.com</=
a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra">=
<div class=3D"gmail_quote"><div class=3D"im">On Wed, Nov 13, 2013 at 9:46 P=
M, Greg <span dir=3D"ltr"><<a href=3D"mailto:greg@kinostudios.com" targe=
t=3D"_blank">greg@kinostudios.com</a>></span> wrote:<blockquote class=3D=
"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding=
-left:1ex">
<div style=3D"word-wrap:break-word"><div><div>The basics would be to not us=
e the CAs. Working on rest of details, they're mostly finished, just go=
tta make 'em nice 'n pretty. And some code would be good, too.</div=
>
</div></div></blockquote><div><br></div></div><div>And what of other soluti=
ons like CT or Tack?</div><div><br></div><div>Given Google's power to i=
nfluence change via Chrome and its share of the browser market, I think we&=
#39;ll see CT as the the primary solution for what ails the existing PKI.</=
div>
</div></div></div></blockquote><div><br></div><div>How does CT prevent codi=
ng errors in browsers? in Adobe Flash?=A0</div><div><br></div><div>How does=
CT prevent network managers losing their keys or exporting the private com=
ponent and sending it to someone as an attachment?</div>
<div><br></div><div>How does CT shut down a party that legitimately obtains=
a certificate and then acts maliciously?</div><div><br></div><div><br></di=
v><div>There are many issues with the Web PKI. The biggest one is actually =
the fact that most of the browsers make reducing connection latency a highe=
r priority than processing certificate revocation properly.</div>
<div><br></div><div>=A0</div></div>-- <br>Website: <a href=3D"http://hallam=
baker.com/">http://hallambaker.com/</a><br>
</div></div>
--089e0160b420368fe004eb2cc786--
--===============4119906173155536385==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4119906173155536385==--
