Wednesday, November 8, 2017

Alternatives to the PKI in SSL

Google's "Blogger" application, very surprisingly, does not yet support SSL for custom domains. (And yet Google is an advocate for SSL everywhere. Hmm...) I could of course point my domain's CNAME record at a CDN instead of Blogger, use that CDN for SSL, and register Blogger's SSL cert for the CDN/Blogger connection (since Blogger does support SSL when you do not use a custom domain.) Should I bother? Of course, I've always hated generic CDN-owned certs as their authentication value is questionable, and even more than that I've disliked SSL's PKI model whereby massive CA lists are thrust upon users via their operating systems and/or browsers, and mostly unknowingly.

Perhaps I could sign the text of each post with GPG. Most visitors won't care, and those who do could authenticate posts without having to trust such a giant list of CAs that they have probably never vetted. But what happens when the asymmetry assumed by GPG is lost, perhaps due to quantum computers?

Perhaps I'll experiment with my own DCKR proposal. I could publish a script for hash-based signing of blog contents on this same blog, and then I could publish a DCKR signature stream at a regular interval. Perhaps I should practice what I preach.

No comments:

Post a Comment

Eltoo

This https://blockstream.com/eltoo.pdf