Martin Heaps via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>This topic is frustrating in that there seems to be a wide attempt by people >to use one form of authentication (DV TLS) to verify another form of >authentication (EV TLS). The overall problem is that browser vendors have decreed that you can't have encryption unless you have a certificate, i.e. a CA-supplied magic token to turn the crypto on. Let's Encrypt was an attempt to kludge around this by giving everyone one of these magic tokens. Like a lot of other kludges, it had negative consequences... So it's now being actively exploited... how could anyone *not* see this coming? How can anyone actually be surprised that this is now happening? As the late Bob Jueneman once said on the PKIX list (over a different PKI-related topic), "it's like watching a train wreck in slow motion, one freeze-frame at a time". It's pre-ordained what's going to happen, the most you can do is artificially delay its arrival. >The end nessecity is that the general public need to be educated [...] Quoting Vesselin Bontchev, "if user education was going to work, it would have worked by now". And that was a decade ago. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
