You’ve made a pretty big error in saying trusted CAs are only about the browser. What about host-to-host comms which is secured by SSL certs? The whole reason Equifax was clueless for months about their breach is they allowed their SSL certs to expire, which caused critical host-to-host comms to break down. You don’t get that certificate warning you can click through when you have host-to-host encrypted traffic. If those certs had been revoked they would have had the same problem.

I am not really trying to fix the trust problem… which probably defies any single solution. I am addressing the dangers of 1) piling into a single system of trust instead of dispersing that trust across multiple systems; 2) trusting encryption when the KMS is the proper object that trust; and 3) the unintended consequences of “free” and “automated”… namely the “fire and forget” complacency which it begets.

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store