1 |
On Mon, 31 Dec 2012 15:42:39 +0100 |
2 |
Tobias Klausmann <klausman@g.o> wrote: |
3 |
|
4 |
> I _do_ think that his concerns need |
5 |
> to be addressed, particularly the second half of his statement. |
6 |
|
7 |
Whilst I agree that if it does debians system shouldn't undermine |
8 |
mozillas. I think the latest efforts are a pointless bandaid but I'm |
9 |
sure better solutions should come if we can get around the CAs wanting |
10 |
to make money issue. |
11 |
|
12 |
"Can you prove you know what certificates were issued, to whom, and who |
13 |
authorized them?" Accountability 101! It's not perfect, but it's a huge |
14 |
step forward from "Oh, this guy I know says its cool" |
15 |
|
16 |
Is it really. Introducing trust on people we don't know and can't |
17 |
possibly verify (yes I know the procedures that you could argue badly |
18 |
are better than none). |
19 |
|
20 |
What SSL protects is data between two servers and all that is required |
21 |
is to ensure that you are talking securely to the server or domain name |
22 |
you have chosen trust. Anything else is simply adding vectors of attack |
23 |
and false senses of security. I thought DNSSEC maybe extremely useful |
24 |
for ssl but it seems it may well just be the best available option |
25 |
at the moment as DNSSEC could do with an overhaul too first. |