[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

McGovern, James james.mcgovern at hp.com
Tue Feb 19 13:32:46 UTC 2013

> Although key pinning and the like are very good ideas, they really depend on the Cert Authority model; which requires I fundamentally trust people that I can not and do not 
> trust. What is actually required is that everybody have client certificates - an 'internet' drivers license. 
> But that I am certain will never happen. So my concern is that eventually even key pinning and the like will eventually fail for other as of yet unknown reasons…

If we were to move away from PKI towards other models such as Identity Based Encryption, would that help? 

Albeit, Kim Cameron's (Microsoft) dream of Information Cards is now defunct, would this have been a better answer?

While not in the scope of this project, is there merit in exploring the notion of a PKI Certificate Authority Top Ten?

More information about the Owasp-topten mailing list