Comment by xnull2guest
11 years ago
Do you think that with public key pinning self-signed certs begin to make sense? Also, do you feel that CAs and the PKI system do provide appropriate authentication (this being a cost-benefit rather than a 100%-correctness analysis)?
Yes! Key continuity is a legitimate identity scheme; the only trick is to implement it scalably, so it actually happens, rather than being a fig leaf (an unworkable variant of key continuity already exists in browsers today).
I think the CA system by itself is inadequate, but unlike unauthenticated TLS, actually does provide some security.