Re: [decentralization] decentralized certificate authority
- I haven't read far enough to know - that's somebody else's project, not my own.One reaction I have is that it's high time to acknowledge that the value of certificate authorities is a fiction. Self-signed certificates are all you ever need. Or am I wrong? Are you aware of any value added by the canonical root certificate authority?The other thought is that this particular approach is a the same in spirit as Pet Names.On Fri, Aug 5, 2011 at 9:02 AM, Johannes Ernst <jernst@...> wrote:Which kinds of certs does it work with? Have you considered use cases other than HTTPS?
Sent from my iPhone
On Aug 5, 2011, at 8:31, Lucas Gonze <lucas@...> wrote:
Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication.
Convergence allows you to choose who you want to trust, rather than having someone else's decision forced on you. You can revise your trust decisions at any time, so that you're not locked in to trusting anyone for longer than you want.
Convergence makes it easy for anyone to run their own trust notary. Each notary can only make security decisions for the clients that have chosen to trust it -- so the security, integrity, or accuracy of a notary does not effect those who haven't selected it.
Convergence can be configured to require trust consensus amongst multiple notaries, preventing any single notary from having the ability to compromise security.
Convergence is fully backward compatible with the existing deployment of certificates, and doesn't require website operators to change anything. Just install the Firefox add-on, select who you trust, and be done with Certificate Authorities forever. Everything will look exactly the same, and you'll never get a self-signed certificate warning again.
Convergence caches trust information locally, and has a mode to shield your IP address from notaries when communicating with them, so that you never leak your browsing history to anyone else.
- 5 aug 2011 kl. 20:19 skrev Lucas Gonze:
> I haven't read far enough to know - that's somebody else's project, not my own.The IETF is looking into using DNSsec as a secure root for your own self-signed certs. That's a valid way forward.
> One reaction I have is that it's high time to acknowledge that the value of certificate authorities is a fiction. Self-signed certificates are all you ever need. Or am I wrong? Are you aware of any value added by the canonical root certificate authority?