Le decadi 10 thermidor, an CCXXIII, Christian Seiler a écrit : > But no other way without using the service of companies with a > business model that many people don't necessarily want to > support. The business model may be more acceptable, but the security model is the same, and it is utterly broken. Certificates, signatures and such are there to allow the client to trust the server. Therefore, choosing the certification authority should be up to the client. Right now, the only choice is between trusting a bunch of certification authorities that do nothing more than checking the DNS ownership and not having certification at all. That is not a choice, that is a bad joke. Firefox starts getting it right with public key pinning, but it has too many limitations. First, Firefox only has hard-coded pinning; users should be able to manage it, just like ~/.ssk/known_hosts. Second, it will not work on a large scale as long as sites change their public key more often than their graphic design. And most importantly: third, it lacks a protocol to obtain pinning / certification from third party. Because that is the only way it should work: when I visit an unknown server, my client should query the certification authorities I chose, and if enough of them trust the server, then I consider it trustworthy. Not only is it the correct way of establishing trust, but it also opens whole new branches of business. For example, my insurance could run its own certification authority for a small additional fee, certifying not only key-DNS mapping but also honesty and good security practices. If one of the sites that it certifies swindles me or has poor security and gets cracked, the insurance pays immediately. Nothing like that is possible with the current model. Back to "let's encrypt": I usually do not condone behaviours that we call "politique du pire"¹, but I must observe that, by making the whole system more acceptable to people who thought of the ugly business model but not of the absurd trust model, "let's encrypt" will delay the apparition of a correct system. (And do not get me started on the absurd payment model, where you have to give your credit card number to various random sites instead of simply being redirected to a pre-filled transfer form on your own bank's site. Same stupid design mistake.) 1: I did not found a proper idiomatic English translation; it means making things deliberately worse (or refusing easy ways of making them better) in order to convince people they must change and make things better. Regards, -- Nicolas George
Attachment:
signature.asc
Description: Digital signature