Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Martin Millnert millnert at gmail.com
Mon Sep 12 06:32:40 CDT 2011


Gregory,

On Mon, Sep 12, 2011 at 1:23 PM, Gregory Edigarov
<greg at bestnet.kharkov.ua> wrote:
> On Mon, 12 Sep 2011 12:12:08 +0200
> Martin Millnert <millnert at gmail.com> wrote:
>
>> Mike,
>>
>> On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones <mike at mikejones.in> wrote:
>> > It will take a while to get updated browsers rolled out to enough
>> > users for it do be practical to start using DNS based self-signed
>> > certificated instead of CA-Signed certificates, so why don't any
>> > browsers have support yet? are any of them working on it?
>>
>> Chrome v 14 works with DNS stapled certificates, sort of a hack. (
>> http://www.imperialviolet.org/2011/06/16/dnssecchrome.html )
>>
>> There are other proposals/ideas out there, completely different to
>> DANE / DNSSEC, like http://perspectives-project.org/ /
>> http://convergence.io/ .
>
> I.e. instead of a set of trusted CAs there will be one distributed net
> of servers, that act as a cert storage?
> I do not see how that could help...
> Well, I do not even see how can one trust any certificate that is
> issued by commercial organization.


As I understand it the idea is that you would have the
power/capability to assign trust yourself to friends, CAs and your
cat.  This then forms some form of (washed out word-warning) web of
trust, when you connect up with others and get their
one-step-away-trust imported.


Outsourcing trust is a pretty hard problem... there's no way to get
around it, really, so this approach (as per my limited research) at
least gives you some power to control it.

Regards,
Martin



More information about the NANOG mailing list