[Discuss] root CA bloat

[Richard Pieri]

On 11/24/2014 3:20 PM, Derek Martin wrote:
> It is a practical impossibility for you (or your organization) to
> actually truly authenticate each and every entity with whom you do
> business on the Internet.  The problem is compounded by the needs of

I don't agree with the base assertion. I don't believe that it is an 
impossibility, practical or otherwise. Means to do it exist. Kerberos 
does it on a small scale. Make something like Kerberos realms integral 
to web browsers. Make doing business with Amazon a matter of creating a 
principal for Amazon in your browser profile. There you have it: 
verifiable, mutual authentication across the entire Internet.

No, that's not intended to be the solution. It's me noodling about one 
way to go about it. Yes, I'm aware that this does not solve the initial 
trust problem. Like I wrote above, I don't believe it is impossible to 
solve, only that nobody has put the effort into solving it (or if they 
have then their work has largely been ignored).

It wouldn't require a flag day. It's something that browser makers could 
implement and deploy in parallel with the existing X.509 PKI currently 
in use. X.509 could then be deprecated once the new system achieves a 
critical mass.

-- 
Rich P.