[clug] the new SSL :-)
Daniel Pittman
daniel at rimspace.net
Fri Mar 26 16:39:08 MDT 2010
Michael Cohen <scudette at gmail.com> writes:
> On Fri, Mar 26, 2010 at 11:34 PM, Daniel Pittman <daniel at rimspace.net> wrote:
>
>> ...at which point you are trusting the DNS root, which is often run by the
>> government, and is certainly run at the fiat of the government. That puts
>> them in a ... poor negotiating position to resist pressure to cooperate...
>
> When encryption really matters you need to use your own CA which you
> protect yourself.
...as long as your software trusts only that CA. (Was it a discussion here
that brought out the fact that some commercial CAs cooperate with government
and law enforcement to provide false certificates that will be trusted by the
browser since the CA is in the root store?)
[...]
> Key management in general is a real problem and always will be.
*nod*
> You have to trust someone in the end - if its not the root CA its the
> browser software, the OS software, the hardware etc. Much of SSL is about
> security theater - its designed to make people comfortable about
> e-commerce. Not unlike the recent "chip" in the credit cards is designed to
> make people feel more secure but in reality is fairly useless as described
> here:
Actually, the chip has some use outside the technical scope: it allowed
changes to the distribution of risk of fraud, moving it from the credit
provider or card issuer down to the end user.
So, plenty of utility for the banks and credit card agencies. :)
Daniel
--
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
More information about the linux
mailing list