On 8/27/11 7:25 AM, ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com wrote:
> I don't have an anwwer here, but the one thing I'm fairly sure of is that
> blindly pushing TLS everywhere is not the solution a lot of folks believe
> it is.
I tend to think that the problem here (and I agree that it's a big one)
isn't TLS, but that PKI as defined by pkix is very difficult to deploy
correctly.
Agreed.
I've seen similar sorts of problems with digital signatures
on email, but in those cases as often as not someone simply got
the certificate contents wrong (or the user doesn't understand how to
configure his mail client correctly and is using a name that doesn't
appear in the certificate) rather that the cert has expired (although
there's a lot of that, too). There's a substantial usability problem.
Absolutely, and it's both architectural and operational - PKI is
full of complex and subtle concepts that implementations don't exactly
help you with.
Ned
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf