On 15.05.2010 08:24, Russ Allbery wrote: > Christoph Anton Mitterer <[email protected]> writes: >> And personally, I really do _not_ trust some of the CAs which are >> included/enabled per default. > > Having done business with several of them, I don't trust any commercial > CA. This is a way more fundamental problem. Essentially no X.509 used on > the Internet uses trustworthy CAs. X.509 for web authentication is, in > practice, not an authentication mechanism. It's solely an encryption > mechanism. It's almost trivial to bypass the authentication portion if > you're familiar with the business practices of the CAs.
Amen. PKI is a naive design and for all intents and purposes will remain a pipe-dream. All security relationships that is worth anything is bilateral and no trusted third party is willing to accept enough risk to warrent full trust. Using public keys for auth is a good security model and the rest of x509 certs is just unnecessary overhead. -- Eray -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
