[Try the second]
On Sat, Dec 26, 2015 at 10:11 PM, John C Klensin <john-ietf(_at_)jck(_dot_)com>
wrote:
--On Saturday, December 26, 2015 9:52 PM -0500 Phillip
Hallam-Baker <phill(_at_)hallambaker(_dot_)com> wrote:
...
One of the issues people don't seem to consider in these
schemes is that merely reducing the number of trusted
intermediaries from ~40 to one doesn't actually remove
reliance on trusted third parties, it merely removes all
choice in the matter.
And even that equation tends to be complicated by the
observation that the trust relationship, as far as certification
of identity is concerned, is with the registrars (and, in some
cases, their agents and resellers) rather than with the
registries. At that point, the number of trusted intermediaries
gets back toward order 40 or 100, not one, unless the question
is "do you control this domain" rather than "are you who you say
you are".
The question the WebPKI was designed to answer is 'are you accountable'.
The original brief was to make buying 'stuff' online as safe as in
person at a bricks and mortar store. The basic approach was to
establish a degree of accountability, to make it infeasible for an
attacker to acquire credentials at a rate that would make online fraud
profitable.
One of the things that irritates me is that in the original design,
one of the principal controls used to ensure this goal was met was
revocation, canceling credentials when a party defects. I can't stop a
criminal registering a business but I can pull their certificate in 24
hours.
But the applications don't see the need for this particular control or
at least not in a fashion that is actually effective.. Which is rather
odd since if there actually was a trust crisis in the WebPKI you would
expect that complaints about insufficiently fast revocation would be
at least as loud as complaints about mis-issue.