- From: peter williams <home_pw@msn.com>
- Date: Sun, 1 May 2011 18:39:39 -0700
- To: "'WebID XG'" <public-xg-webid@w3.org>
- Message-ID: <SNT143-ds873DB33100FA2AEAB18B7929F0@phx.gbl>
"PKI based on X.509 was supposed to fix this, but a couple billion dollars in failed deployments later, it's become painfully clear: X.509 is really quite expensive and painful." What I hoping is that folks here have provided Kaminsky wrong. X.509 is quite trivial to understand, costs absolutely nothing to operate on a global scale, and is no more painful than learning RDF. Webid is the proof of this claim. NOTHING NOTHING NOTHING has prevented folks here from doing self-asserted X.509 (something happenstance not mentioned by all the rant-centric pundits, Kaminsky included). Furthermore, what folks are doing with webid today COULD have been done 5+ years ago (nothing material has changed in the Web, meantime). Folks COULD have used the URI 10 years ago (when Jalil Feghii first coded it using the Microsoft Cert Server v1.0 - back in the pre-.NET COM era!). What is expensive is assurance. Signing cert blobs and stuffing fields in them is trivial. It always was. When one starts out to have *assured* DNSsec with lots of self-selected assurers (not just US govt and its minions), it will have exactly the same issues as *assuring* X.509 certs. There is no semantic difference between a signed DNS record, and a signed cert. Just two different blobs, in two different directories, in two different hierarchies. At least X.509 is not so limited however! I think we need to dis-associate form Kaminsky - simply because he (I assume) has associated himself with the anti-X.509 rant crowd, in the form of his arguments. It's a shame folks do it, but it is quite common. I always apply the Peter test. If Peter can actually do it, it MUST be simple both in concept AND in practice.
Received on Monday, 2 May 2011 01:40:09 UTC