Hi Jason, It's quite the coincidence that I saw this email of yours a few days ago when I was wondering the same thing.
I've read through many of the replies to this thread but haven't been able to answer a related question that I have. I'm looking for a date that I could point to and call the "birth of modern HTTPS/PKI". There is the Loren M Kohnfelder thesis from May of 1978, but that's not quite it because it wasn't actually available to anyone at the time. Perhaps an event along the lines of "first modern HTTPS implementation in a public web browser was released", or something like that. Any leads? Maybe something from Netscape's history? Thanks, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Apr 16, 2014, at 10:30 AM, Jason Iannone <[email protected]> wrote: > The more I read, the more bewildered I am by the state of the PKI. > The trust model's unwieldy system[1] of protocols, dependencies, and > outright assumptions begs to be exploited. Add to that the browser > behavior for a self-signed certificate (RED ALERT! THE SKY IS > FALLING!) compared to a "trusted" site and we're in bizarro world. > I'd rather we close the gap and appreciate a secure transaction with > an unauthenticated party than proclaim all is lost when a self-signed > key is presented. I see no reason to trust VeriSign or Comodo any > more than Reddit. Assuming trust in a top heavy system of Certificate > Authorities, Subordinate Certificate Authorities[2], Registration > Authorities, and Validation Authorities[3] in a post bulk data > collection partnership world is a non-starter. The keys are > compromised. > > With that, I ask for a history lesson to more fully understand the > PKI's genesis and how we got here. Maybe a tottering complex > recursive heirarchical system of trust is a really great idea and I > just need to be led to the light. > > [1]http://csrc.nist.gov/publications/nistpubs/800-15/SP800-15.PDF, > http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32.pdf > [2]https://www.eff.org/files/DefconSSLiverse.pdf, > https://www.eff.org/files/ccc2010.pdf > [3]http://en.wikipedia.org/wiki/Public-key_infrastructure > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
