On 8/27/11 7:25 AM, ned+ietf@xxxxxxxxxxxxxxxxx wrote: > I don't have an anwwer here, but the one thing I'm fairly sure of is that > blindly pushing TLS everywhere is not the solution a lot of folks believe > it is.
I tend to think that the problem here (and I agree that it's a big one) isn't TLS, but that PKI as defined by pkix is very difficult to deploy correctly.
Agreed.
I've seen similar sorts of problems with digital signatures on email, but in those cases as often as not someone simply got the certificate contents wrong (or the user doesn't understand how to configure his mail client correctly and is using a name that doesn't appear in the certificate) rather that the cert has expired (although there's a lot of that, too). There's a substantial usability problem.
Absolutely, and it's both architectural and operational - PKI is full of complex and subtle concepts that implementations don't exactly help you with. Ned _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf