On Wed, Mar 04, 2009 at 04:46:42AM +1300, Peter Gutmann wrote:
> Eric Rescorla <ekr at networkresonance.com> writes:
> >"We must do something. This is something. We must do this."
>
> So you've got the choice between the Polician's Fallacy (the above) and
> psychosis ("PKI has been failing for 30 years [0], let's try more of it in the
> hope that it suddenly works this time").
Well, no, there's also the choice of making PKIs work -- that requires
more political work than technical, and may be as infeasible as a good
unregulated PKI has been.
Also, I'm not sure that well-regulated PKI will necessarily be a good
thing -- I can already imagine the complaints about how red tape slows
everything down, doesn't scale, blah, blah, blah. But if the consensus
here was that that is what we need, and if politicians told us it's
feasible then it'd be worth trying.
> I think we need psychiatrists for this more than we need security geeks.
>
> (I don't know the answer either, but admitting you have a problem with your
> current approach is always the first step to recovery).
How long has the consensus been that web security is broke? Admitting
you have a problem is the first step, but it is not sufficient.
Nico
--
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.