On 8/27/11 7:25 AM, ned+ietf@xxxxxxxxxxxxxxxxx wrote:
I don't have an anwwer here, but the one thing I'm fairly sure of is that blindly pushing TLS everywhere is not the solution a lot of folks believe it is.
I tend to think that the problem here (and I agree that it's a big one) isn't TLS, but that PKI as defined by pkix is very difficult to deploy correctly. I've seen similar sorts of problems with digital signatures on email, but in those cases as often as not someone simply got the certificate contents wrong (or the user doesn't understand how to configure his mail client correctly and is using a name that doesn't appear in the certificate) rather that the cert has expired (although there's a lot of that, too). There's a substantial usability problem. Melinda _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf