Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Jasper Wallace jasper at pointless.net
Mon Sep 12 16:08:23 CDT 2011


On Mon, 12 Sep 2011, Gregory Edigarov wrote:

> On Mon, 12 Sep 2011 12:12:08 +0200
> Martin Millnert <millnert at gmail.com> wrote:
> 
> > Mike,
> > 
> > On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <mike at mikejones.in> wrote:
> > > It will take a while to get updated browsers rolled out to enough
> > > users for it do be practical to start using DNS based self-signed
> > > certificated instead of CA-Signed certificates, so why don't any
> > > browsers have support yet? are any of them working on it?
> > 
> > Chrome v 14 works with DNS stapled certificates, sort of a hack. (
> > http://www.imperialviolet.org/2011/06/16/dnssecchrome.html )
> > 
> > There are other proposals/ideas out there, completely different to
> > DANE / DNSSEC, like http://perspectives-project.org/ /
> > http://convergence.io/ .
> 
> I.e. instead of a set of trusted CAs there will be one distributed net
> of servers, that act as a cert storage?
> I do not see how that could help...

The point of perspectives and convergence is this. The browser says:

>From my point of view site X has a certificate with fingerprint Y, what do 
you guys all see from your points of view?

If the perspectives/convergence servers see a different certificate then 
you know that you are the victim of a mitm attack..

I.E. the perspectives and convergence system does not attempt to assert 
anything about a sites identity, just that everyone sees the same cert for 
a site.

(of course if the mitm is happening close enough to the site 
networktopologicly speaking than all the perspectives/convergence servers 
will see the same, fake, cert and your out of luck).

> Well, I do not even see how can one trust any certificate that is
> issued by commercial organization. 

perspectives and convergence don't issue certs.

-- 
[http://pointless.net/]                                   [0x2ECA0975]



More information about the NANOG mailing list