OT: problems with the X.509 PKI business [was: Re: Gcrypt-devel Digest, Vol 66, Issue 5]

Milo gnupg at oneiroi.net
Fri Aug 13 20:05:51 CEST 2010


Hi.

On 07/25/2010 04:07 AM, Daniel Kahn Gillmor wrote:
> On 07/24/2010 06:37 AM, Milo wrote:
>> On 07/24/2010 10:36 AM, gcrypt-devel-request at gnupg.org wrote:
>>
>>>> A counterpoint would be that the whole X.509 PKI business is entirely
>>>> broken and does not provide any security at all.
>>>
>>> agreed, sadly.
>
>>
>> "whole X.509 PKI business is broken and does not provide any security at
>> all" - very interesting statement. Could you elaborate on that?
>
> For one example, X.509 sets up a situation that encourages centralized,
> hierarchical reliance on an unaccountable cabal of Certificate Authorities:
>
>   http://lair.fifthhorseman.net/~dkg/tls-centralization/
>
> 	--dkg

It's hard to disagree that it is seriously flawed however in practice 
it's somehow far from being "entirely broken" and "not providing any 
security at all". There is small number (if any) of real life evidences 
for serious violation/exploitation of CA model weaknesses (on the other 
side it seems to be unprobable that it is not exploited...). I'm not 
negating need of research on better substitute - my point is that x.509 
as is, is still providing some degree of security and it's better then 
nothing.

-- 
Regards,
Milo



More information about the Gcrypt-devel mailing list