Changeset 115 for trunk/tls-centralization/index.html

Timestamp:

Jan 18, 2007 2:22:40 AM (6 years ago)

Author:

dkg

Message:

TLS Centralization article: incorporated input from Josue and Christine.

File:

• trunk/tls-centralization/index.html (modified) (11 diffs)

trunk/tls-centralization/index.html

@@ -17 +17 @@
 <p>The protocols we use for communication shape not just the
 communications themselves, but social and economic structures beyond
-them.  I'll discuss here a protocol in common use on the internet
-today: <term>Transport Layer Security</term> (or <term>TLS</term>) and
-its precursor, the <term>Secure Sockets Layer</term> (or
-<term>SSL</term>).  These are used (among other places) in secure
+them.  As Americans, we have seen how choices in infrastructure can
+shape social structure in the physical world. Our society builds
+highways, malls, and suburban developments while neglecting its rail
+lines, public spaces, and cities. In doing so, we <a
+href="http://www.planning.org/APAStore/Search/Default.aspx?p=3333">discourage
+civic interaction while facilitating pollution and dangerously
+sedentary lifestyles</a>. This article shows how choices in digital
+communications infrastructure can also have an effect on our social
+fabric by focusing on one small example out of many.
+
+<p>I'll discuss here a protocol in common use on the internet
+today: <term>Transport Layer Security</term> (<term>TLS</term>) and
+its precursor, the <term>Secure Sockets Layer</term>
+(<term>SSL</term>).  These are used (among other places) in secure
 World Wide Web connections.  <term>TLS</term>, as it is currently
 implemented, fosters the concentration of power and money among
@@ -33 +43 @@
 authoritarian.
 
-<p>But this is one small piece of the puzzle.  There are thousands of
+<p>TLS is only one small piece of the puzzle.  There are thousands of
 protocols and tools in use on the Internet today, with a variety of
 subtle societal effects.  We can choose the way we want to go, but we
@@ -111 +121 @@
 veering into paranoia here: the global network is very flexible; it
 relies on wide-scale co-operation; and the malicious actors are often
-tireless and concsienceless machines, not individual humans.
+tireless and conscienceless machines, not individual humans.
 
 <p> So how does your browser know to show that lock, since anyone
@@ -119 +129 @@
 tooltip</cap></captionedimage> Because during the initial claim of
 identity, the web server presents a certificate which is
-cryptographically signed by an <term>Certificate Authority</term> (or
-<term>CA</term>) who your browser already knows about and trusts.  On
+cryptographically signed by an <term>Certificate Authority</term>
+(<term>CA</term>) who your browser already knows about and trusts.  On
 some modern web browsers, if you hover your mouse over the
 <q>lock</q>, a tool tip will pop up showing which <term>CA</term>
@@ -159 +169 @@
 
 What is it about the architecture of the Web that encourages this
-insecurity and lack of integrity?  I want to step briefly into a
-discussion of the underlying protocols used to create secure web
-connections.  The Internet is a collection of co-operating machines,
-all passing messages to each other in various forms.  Viewed from
-another angle, the Internet is also a collection of interacting
-protocols, which fit together in certain ways.
+insecurity and lack of integrity?  This requires a basic understanding
+of the underlying protocols used to create secure web connections.
+The Internet is a collection of co-operating machines, all passing
+messages to each other in various forms.  Viewed from another angle,
+the Internet is also a collection of interacting protocols, which fit
+together in certain ways.
 
 <h3>TLS</h3>
@@ -218 +228 @@
 <pre>/O=secure.mayfirst.org/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=secure.mayfirst.org</pre>
 
-<p>The name of the signer (aka the <term>issuer</term>) is also present in a
-similar form (though your browser treats the entire string as
-important), and a <em>single</em> signature is allowed within the
-certificate.
+<p>The identity of the signer (aka the <term>issuer</term>) is also
+present in the certificate, and a <em>single</em> signature is allowed
+within the certificate.
 
 <p>Your browser (or other <term>TLS</term>-capable client) takes the
@@ -401 +410 @@
 larger <term>CA</term>s called <a
 href="http://www.cabforum.org/certificates.html"><term>Extended
-Validation</term> (or <term>EV</term>) Certificates</a>.  From what I
+Validation</term> (<term>EV</term>) Certificates</a>.  From what I
 can tell, this is simply the big <term>CA</term>s offering to actually
 do a serious level of identity verification &mdash; what they should
@@ -470 +479 @@
 implemented or adopted yet.
 
-<p>One implementation exists: the free <a
-href="http://www.gnu.org/software/gnutls/">GnuTLS library</a> has
-supported <term>OpenPGP</term> certificates in addition to
+<p>Most programs which use <term>TLS</term> do not actually implement
+their TLS functionality directly.  Instead, they make use of software
+<term>libraries</term>, which are collections of code that can be used
+by many programs.
+
+<p>At least one library exists which can use OpenPGP certificates: the
+free <a href="http://www.gnu.org/software/gnutls/">GnuTLS library</a>
+has supported <term>OpenPGP</term> certificates in addition to
 <term>X.509</term> certificates since at least the end of 2003.  Tools
 (like web browsers) which use the GnuTLS library basically can get
-this extra support without any extra work.
+this extra feature without any extra work.
 
 <p>However, the <a href="http://openssl.org/">OpenSSL library</a> is
 by far the most widely-used free library, and it only includes support
-for <term>X.509</term> certificates.  There are some folks talking it
-over at the moment, but it's doubtful that anything will happen in the
-near future with that.  Tools which use OpenSSL are not going to take
-a while to migrate to this new architecture.
+for <term>X.509</term> certificates.  Some developers <a
+href="http://www.mail-archive.com/openssl-dev@openssl.org/msg21728.html">are
+discussing adding OpenPGP support for OpenSSL</a>, but it's doubtful
+that anything will happen in the near future.  Tools which
+use OpenSSL are going to take a while to migrate to this new
+architecture.
 
 <p>So what needs to happen?  Web browsers (and other TLS-enabled
@@ -498 +514 @@
 the widest-distributed Free Browser today.  In my version of it on my
 <a href="http://debian.org/">debian</a> operating system, it actually
-already links against GnuTLS, but I haven't reviewed the sources to
-see how it gets used.  Furthermore, there is no clear way through the
-Firefox graphical interface to manage OpenPGP <term>CA</term>s, the
-way there is to manage <term>X.509</term> <term>CA</term>s.  So that
-needs work.  Firefox is also the basis for the proprietary Netscape
-browser, so any fix to Firefox could have an effect there.  Many other
-Free browsers also derive from Firefox, so a fix here would be a big
-win.
+already uses the GnuTLS library, but I haven't reviewed the sources to
+see how it gets used (it could be used for library features unrelated
+to certificate verification).  Furthermore, there is no clear way
+through the Firefox graphical interface to manage OpenPGP
+<term>CA</term>s, the way there is to manage <term>X.509</term>
+<term>CA</term>s.  So that needs work.  Firefox is also the basis for
+the proprietary Netscape browser, so any fix to Firefox could have an
+effect there.  Many other Free browsers also derive from Firefox, so a
+fix here would be a big win.
 
 <p><a href="http://www.konqueror.org/">Konqueror</a> is another
@@ -518 +535 @@
 <p>Finally, a couple text-mode browsers, <a
 href="http://elinks.or.cz/"><tt>elinks</tt></a> and the venerable <a
-href="http://lynx.browser.org/"><tt>lynx</tt></a> appear to be built
-against GnuTLS these days.  So they might be a possibility.
+href="http://lynx.browser.org/"><tt>lynx</tt></a> appear to use the
+GnuTLS library these days.
 
 <h3>Web Server Buy-in</h3>
@@ -596 +613 @@
 <hr>
 <address></address>
-<!-- hhmts start -->Last modified: Sat Jan  6 13:47:48 EST 2007 <!-- hhmts end -->
+<!-- hhmts start -->Last modified: Thu Jan 18 02:21:55 EST 2007 <!-- hhmts end -->
 </body> </html>