San Francisco-based security firm Qualys is throwing its support behind an experimental project designed to improve the security and privacy of website authentication by reducing reliance on certificate authorities that issue secure sockets layer credentials. The Convergence project was devised by Moxie Marlinspike, a security …
Tried the Firefox plug in using the default parameters, every one of the sites i tried it on returned an invalid certificate warning, however it is a beta so maybe its worth waiting to see if this changes significantly in the future.
Convergence won't run on FF 7.0
On FF 6.x it prevents Gmail attachment uploads. They just hang with a Gmail "Still working" message.
Forgive me if I'm teaching granny to suck eggs...
...but can you not unpack the plugin XPI file and edit the em:maxVersion tag in install.rdf? Of course there may be a more fundamental reason why it doesn't work with FF7 but I would have thought it's worth a try. And naturally this is unlikely to fix the attachment upload problem.
There are bound to be problems with Convergence at the start, as elegant as the idea is it is still a massively ambitious undertaking to turn the net's trust model on its head. Personally I think there is a responsibility on those of us that recognise the problem to actively participate in the solution. That may be just using the plugin, feeding-back issues to the devs and possibly running a notary but every little helps.
FF7+Convergence work fine on OpenIndiana.
This does cut rather to the heart of the problem with certificates: I *don't* trust the CA's - any of them. Why should I? They're faceless agencies who make money out of selling these certificates to companies, they have next to no responsibility or accountability to me. Plus they are, I'm guessing, full of humans. Humans can be corrupt and/or stupid.
There has been far too little cross-checking of reliability in the whole market for years and the idea outline here looks like a step in the right direction.
From the website: "Convergence is based on the ideas originally developed by the Perspectives Project at Carnegie Mellon University."
Does this mean that perspectives is dead? Are the 2 systems compatible?
Installed FF7 the other day and found it still had DigiNotar as a CA..
...are the DigiNotar certificates configured to authenticate anything?