I was going to complain, “yes, but what has Convergence really done so far?” until I noticed this article is from 2011. But I guess my point still stands; what is anyone doing about this besides this plugin which a very small amount of people actually use?
If we’ve learned anything about committees and standards organizations by now, it’s that they’re painfully slow and usually get influenced by companies, especially those with a financial stake in the game. All of the companies making lots of money selling SSL certificates are going to see to it that the current situation doesn’t change.
I think Mozilla should take a page from the CSS book and just do something vendor-specific about this already. Add DNSSEC-verified self-signed cert validation or something like Convergence and just ship it. Let people start using it and benefiting from it, make tweaks, fix bugs, and when enough people start using it, other browsers will adopt it. That’s how a lot of the newer CSS improvements came about without having to wait for W3C to standardize on things.
I’ve kind of been in the certs via DNSSEC camp since I first heard of it. To the point where I’m only interested in DNSSEC iff it comes with a CA replacement mechanism.
I think Moxie sells this system a little short in comparison to existing CA infrastructure. It’s hierarchical distribution vs distributed hierarchy, if that makes any sense. It’s true that if Verisign controls .com, everybody with a .com has to trust them. But people using .eu don’t have to trust them. Each root has their own top level entity you have to trust, but you don’t have to trust all of the top level entities. If I’m running a .com and I trust Verisign, I don’t have to worry about .cn (to pick on the bad guys of the now) signing fake DNSSEC records for me.
I like DNSSEC because it offers the opposite of trust agility. Random CAs won’t appear in my browser’s cert list because “why not?”. I think what I want is delegation. I care less about who in particular I delegate trust to, but more about simply knowing who I have and have not delegated trust to.
I was going to complain, “yes, but what has Convergence really done so far?” until I noticed this article is from 2011. But I guess my point still stands; what is anyone doing about this besides this plugin which a very small amount of people actually use?
If we’ve learned anything about committees and standards organizations by now, it’s that they’re painfully slow and usually get influenced by companies, especially those with a financial stake in the game. All of the companies making lots of money selling SSL certificates are going to see to it that the current situation doesn’t change.
I think Mozilla should take a page from the CSS book and just do something vendor-specific about this already. Add DNSSEC-verified self-signed cert validation or something like Convergence and just ship it. Let people start using it and benefiting from it, make tweaks, fix bugs, and when enough people start using it, other browsers will adopt it. That’s how a lot of the newer CSS improvements came about without having to wait for W3C to standardize on things.
I’ve kind of been in the certs via DNSSEC camp since I first heard of it. To the point where I’m only interested in DNSSEC iff it comes with a CA replacement mechanism.
I think Moxie sells this system a little short in comparison to existing CA infrastructure. It’s hierarchical distribution vs distributed hierarchy, if that makes any sense. It’s true that if Verisign controls .com, everybody with a .com has to trust them. But people using .eu don’t have to trust them. Each root has their own top level entity you have to trust, but you don’t have to trust all of the top level entities. If I’m running a .com and I trust Verisign, I don’t have to worry about .cn (to pick on the bad guys of the now) signing fake DNSSEC records for me.
I like DNSSEC because it offers the opposite of trust agility. Random CAs won’t appear in my browser’s cert list because “why not?”. I think what I want is delegation. I care less about who in particular I delegate trust to, but more about simply knowing who I have and have not delegated trust to.