[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] Gentoo and Root CAs
From:       Kevin Chadwick <ma1l1ists () yahoo ! co ! uk>
Date:       2012-12-31 15:06:15
Message-ID: 20121231150615.787d7ca8 () kc-sys ! chadwicks ! me ! uk
[Download RAW message or body]

On Mon, 31 Dec 2012 15:42:39 +0100
Tobias Klausmann <klausman@gentoo.org> wrote:

>  I _do_ think that his concerns need
> to be addressed, particularly the second half of his statement.

Whilst I agree that if it does debians system shouldn't undermine
mozillas. I think the latest efforts are a pointless bandaid but I'm
sure better solutions should come if we can get around the CAs wanting
to make money issue.

"Can you prove you know what certificates were issued, to whom, and who
authorized them?" Accountability 101! It's not perfect, but it's a huge
step forward from "Oh, this guy I know says its cool"

Is it really. Introducing trust on people we don't know and can't
possibly verify (yes I know the procedures that you could argue badly
are better than none). 

What SSL protects is data between two servers and all that is required
is to ensure that you are talking securely to the server or domain name
you have chosen trust. Anything else is simply adding vectors of attack
and false senses of security. I thought DNSSEC maybe extremely useful
for ssl but it seems it may well just be the best available option
at the moment as DNSSEC could do with an overhaul too first.

[prev in list] [next in list] [prev in thread] [next in thread]