Anything in this story of concern?

[Garrett Wollman]

<<On Mon, 09 Sep 2013 07:34:17 +0000, "Poul-Henning Kamp" <phk at phk.freebsd.dk> said:

> And as Garrett Wollman correctly pointed out on twitter: It remains
> yet to be seen if any implementation of SSL/TLS can be non-crap,
> given that they are stuck with X.509.

I should say, by the way, that X.509 is not an inherent requirement of
SSL/TLS, *but* it's what the clients implement.  You can do GSSAPI
authentication for the TLS key exchange, but there's little benefit in
doing that versus just doing straight GSSAPI sign/seal and leaving TLS
out of it completely.  (Plus, there are only two options for GSSAPI;
one of them doesn't work at Internet scale and the other is back to
X.509 again.)  You can also do OpenPGP-style Web of Trust
authentication for the TLS key exchange, but that doesn't work
at Internet scale either.  GnuTLS supports both, however.

What would work, would be better than the X.509 CA infrastructure we
have now, and has been demonstrated experimentally, is using DNSsec to
publish server public keys -- but that's hardly reducing the size of
the TCB, and it would significantly worsen the impact of bugs in
validating DNSsec implementations.  The likely result, if browsers and
servers began to support this as a legitimate option, would be that
the existing rents collected by X.509 CAs would instead by paid to
domain registries and registrars instead.  (On the other hand, it
seems unlikely that registries could get away with charging the same
premium for a secure delegation as CAs now do for a wildcard
certificate -- and the latter is a horrible idea anyway.)

-GAWollman