summaryrefslogtreecommitdiff
path: root/website
diff options
context:
space:
mode:
Diffstat (limited to 'website')
-rw-r--r--website/vision.mdwn19
1 files changed, 18 insertions, 1 deletions
diff --git a/website/vision.mdwn b/website/vision.mdwn
index 66b2aec..281bc72 100644
--- a/website/vision.mdwn
+++ b/website/vision.mdwn
@@ -7,8 +7,25 @@ This is probably at the crux of the Monkeysphere vision for the future:
* [Simon Josefsson proposed out-of-process certificate verification model in gnutls-devel](http://news.gmane.org/find-root.php?group=gmane.comp.encryption.gpg.gnutls.devel&article=3231)
* [Werner Koch's dirmngr](http://www.gnupg.org/documentation/manuals/dirmngr/)
* [GnuTLS wiki external validation](http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation)
+* [Pathfinder PKI validation](http://code.google.com/p/pathfinder-pki/) (includes validation plugins for OpenSSL and LibNSS).
-## Other discussions ##
+## TLS transition strategies ##
+
+While [RFC 5081](http://tools.ietf.org/html/rfc5081) is quite a while
+off from widespread adoption, it would be good to have an interim
+translation step. This is analogous to the SSH work we've done, where
+the on-the-wire protocol remains the same, but the keys themselves are
+looked up in the OpenPGP WoT.
+
+Firefox extensions that deal with certificate validation seem to be
+the easiest path toward demonstrating this technique. We should look
+at:
+
+* [SSL Blacklist](http://codefromthe70s.org/sslblacklist.aspx)
+* [Perspectives](http://www.cs.cmu.edu/~perspectives/firefox.html)
+* there is another firefox extension that basically disables all TLS certificate checking. The download page says things like "this is a bad idea" and "do not install this extension", but i'm unable to find it at the moment.
+
+## Related discussions ##
* [Wandering Thoughts blog discussion about Web of Trust flaws](http://utcc.utoronto.ca/~cks/space/blog/tech/WebOfTrustFlaws?showcomments)
* [Wandering Thoughts blog discussion about certificate authorities](http://utcc.utoronto.ca/~cks/space/blog/web/SSLCANeed?showcomments)