Comments: The Convergence of PKI

we were brought in to consult with small client/server startup that wanted to do payment transactions on their server, they had also invented this technology called "SSL" they wanted to use, the result is now frequently called "electronic commerce"

the trust model is the user trusts the URL ... the user is suppose to understand the relationship between the webserver they think they are talking to and the URL. Then SSL provides the trust between the URL and the webserver they are actually talking to. The original deployment for security/trust was that user types in the trusted URL and goes to that website and the whole session is https. That was almost immediately broken when merchants discovered https cut their throughput by 85-95% and they dropped back to just using https for check-out/paying. This involved the user clicking on a button (from an unvalidated/untrusted website) which provided a (/an untrusted) URL. Now rather than the user is talking to the website they think they are talking to ... it just becomes the website that the website claims to be.

I've pontificated that the CA industry has somewhat backed some aspects of DNSSEC where somebody registers a public key along with registering a domain. This is countermeasure to domain name take-over ... all subsequent communication with the domain name infrastructure is digitally signed and verified with the on-file public key. The scenario is somebody that has taken over domain can go to CA for certificate ... since the CA validates the true ownership of domain certificate with the authoritative agency for domain ownership ... the domain name infrastructure (root trust for domain certificates is the integrity of the agency that keeps track of who owns a domain).

This creates something of catch-22 for CA industry since could imagine that response to domain->ip-address request could also piggy-back the on-file public key (eliminating need for domain certificates).

There was recent item claiming that Google is now the highest used DNS server.

Google now the largest public DNS provider in the world

misc. past posts mentioning catch-22 for the CA industry

Posted by Lynn Wheeler at February 18, 2012 09:51 AM

I feel like the whole PKI system is a complete joke. All it does is make me suspicious about my browser.

IMO we are moving towards a combination of Namecoin and Ricardian contracts.

Your contract will contain your Namecoin address, and your Namecoin address will resolve to a censorship-proof record of your contract hash.

dot p2p baby!

Posted by Fellow Traveler at February 25, 2012 06:56 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x55de89ac6200) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.