
The overengineering and non-deployment of SSL/TLS | Brad Ideas - mblakele
http://ideas.4brad.com/overengineering-and-non-deployment-ssl-tls
======
brl
"One simple approach would be a certificate server which allowed any site to
request a certificate and verify it owned the domain in question but putting a
response to a challenge in a URL on that domain on a web server on a random
port below 1024."

So in your threat universe an attacker can MITM the connection between your
browser and PayPal, but they can't MITM the connection between PayPal and the
certificate authority?

"RSA uses large keys and large certificates, however, and people with
bandwidth concerns (mostly for their users) have reason to object to it. To
take a tiny transaction, such as the fetching of the lightweight Google home
page (3kb in size) and make it involve tens of kilobytes is something one can
still express some concern about, even today. There is an answer to that, in
elliptic curve cryptography, which is able to use much smaller keys and
certificates."

Most bizarre argument for ECC ever ^^^^

There are so many brad ideas here that I should leave some for other people to
bash. Also because I'm worried about being a victim of some elaborate joke.

