| 1 |
On Mon, 31 Dec 2012 15:42:39 +0100 |
| 2 |
Tobias Klausmann <klausman@g.o> wrote: |
| 3 |
|
| 4 |
> I _do_ think that his concerns need |
| 5 |
> to be addressed, particularly the second half of his statement. |
| 6 |
|
| 7 |
Whilst I agree that if it does debians system shouldn't undermine |
| 8 |
mozillas. I think the latest efforts are a pointless bandaid but I'm |
| 9 |
sure better solutions should come if we can get around the CAs wanting |
| 10 |
to make money issue. |
| 11 |
|
| 12 |
"Can you prove you know what certificates were issued, to whom, and who |
| 13 |
authorized them?" Accountability 101! It's not perfect, but it's a huge |
| 14 |
step forward from "Oh, this guy I know says its cool" |
| 15 |
|
| 16 |
Is it really. Introducing trust on people we don't know and can't |
| 17 |
possibly verify (yes I know the procedures that you could argue badly |
| 18 |
are better than none). |
| 19 |
|
| 20 |
What SSL protects is data between two servers and all that is required |
| 21 |
is to ensure that you are talking securely to the server or domain name |
| 22 |
you have chosen trust. Anything else is simply adding vectors of attack |
| 23 |
and false senses of security. I thought DNSSEC maybe extremely useful |
| 24 |
for ssl but it seems it may well just be the best available option |
| 25 |
at the moment as DNSSEC could do with an overhaul too first. |
Archives