Qualys is funding and operating two Convergence notary servers, one in the US and one in Europe. “While it's not yet clear if Convergence can succeed (there are many technological and adoption challenges to conquer), we want to play a part in it and help it succeed”, wrote Ivan Ristic, director of engineering at Qualys, in a blog post.
In August, Marlinspike launched his Convergence alternative to SSLs and CAs at the Black Hat conference in Las Vegas. Convergence, currently in its beta version, allows users to configure a set of trusted notaries, which use a network perspective to validate communication. It also requires a trust consensus from multiple notaries to ensure security. Convergence, thus far, is only available as a Firefox browser add-on.
Ristic explained that Convergence consists of two parts. The first is the ability to delegate trust decisions from the browser to a third party. “That means that you are no longer forced to accept the decisions of the browser vendors, but you can make your own. That ability is, for me, the most thrilling aspect of the project.”
The second part is the backend implementation that makes trust decisions. “The approach is great in its simplicity: if you can see the same certificate from several different locations you conclude that it must be the correct certificate”, Ristic wrote.
The Qualys engineer said his company’s proposal is an attempt to try one implementation approach for Convergence. “We’ve just been given the ability to choose whom to trust, and it’s too soon to settle on any one implementation. I am far more interested in experimenting with different approaches, to see what works and what does not”, he stressed.