Should we make a working group to kill X.509?
tl;dr banter on HN isn’t enough, sign up here to actually do something
So yesterday I wrote an article about the flawed security of X.509 which you can read here. When it was about 2/3 complete I showed it to my best mate and said “I hope it gets traction.”
An hour later it’s all over Hacker News, Reddit, something like 50,000 uniques, I’ve got strangers lurking in my LinkedIn (shameless plug), and strangers in my inbox.
This is all brilliant but while stroking my ego is nice, I didn’t spend a whole day writing this and dealing with the aftermath so I could have 15 minutes of fame, as hard as that may be to believe in this day and age. Instead, I wrote the article because I use the internet every day - it is my livelihood - and I do not feel safe under the protections of X.509. And crucially, because I want the people with the necessary skills to do something about that.
But now as my ramblings approach hour 19 of being hot shit, the article is beginning to slip down the rankings on HN and Reddit, and an eventual plunge into the abyss of historical news is not far off. I hope you understand that if I let it go at this point I’d have wasted a whole day. So I’m not.
Practical steps to solving internet security #
The ensuing discussion was great, and I was so thrilled to see a number of people asking what they can practically do at this point to solve the issues raised. There were suggestions about TACK, Convergence, SPKI/SDSI, and there were questions raised about whether PGP could even scale well enough to do as I suggested. There were even naysayings by some of the people who helped develop X.509. All of this is perfect, it’s the exact discussion I wanted to start.
The problem of course is that the comment threads on HN and Reddit are not the forum for plotting world domination.
What we have done is proven
- That there is an appetite to change the status quo
- That there are many approaches with many details to be thrashed out
My question now - to the 338 upvoters on HN, the ~226 on Reddit, the ~1500 kudos-givers on Svbtle, the retweeters, and to the all-important domain experts that may or may not have caught wind of this draught - is whether we should actually bear arms now and try to fix this, or was a war cry enough for today?
A working group #
In other words, should we attempt to form some kind of working group aimed at finding a way to move away from X.509?
I’m not a domain expert, from my publicly viewable code I’m barely a programmer - I’m not qualified to answer this.
But perhaps you are. Even if you’re not, if you’re interested in solving this problem I ask you to join the mailing list here:
d2/dx x.509 at Google Groups
A small mathematical joke in the name there, hope you liked it.
The group is currently request-only, and the reason for this is simply that if domain experts do want to use this as a springboard to do something, I don’t want them to fear having to navigate a sea of amateurs. If this is a terrible idea let me know.
As I said I am not really qualified to lead the technical discussion, so if this group gets traction I will happily - eagerly even - cede control to someone who is when the time is right.
A final call #
If you are - or if you know - someone who is technically and ‘culturally’ (i.e. has a big enough name to make more noise than me) suited to helping out here, please join - or let them know about the existence of - this group.
With the right people on board to get this ball rolling, there really isn’t a big jump to it rolling into the front door of browser vendors and the like, at which point things might actually start to happen. It is only with measured, consistent resolve that we as humans have ever solved complex problems - it’d be a shame to stop now. So please tweet this to @EFF, @moxie, and all the other people better positioned than ourselves and lets actually turn the noise into action this time.