On Tue, Jun 29, 2004 at 02:39:51AM +0200, martin f krafft wrote: > I think we should have a page explaining the key and its trust > basis, and also publish the key's fingerprint. If that page could be > SSL-tunneled and signed with a certificate christened by an official > CA (which the SPI would buy), then it'd be basically bulletproof. SSL adds approximately zero security unless you validate the server certificate. I bet you've never done that in your life for https. CRYPTO-GRAM had some choice remarks on the importance of https in internet security a few months ago. The "Official CAs" are so insecure they are a joke. I bet you don't have a secure path to trust them. And you shouldn't trust them even if they did; they'll hand out a certificate to anybody. Their purpose is to provide a comfort blanket to stupid people so that they don't feel scared about handing their credit card number over as blithely on the internet as they do in most shops. Trying to secure a credit card transaction online is a waste of time; credit cards are inherantly insecure. *Nobody tries*. They just put up a convincing simulation to stop people giving them flak over "security". Trying to leverage this infrastructure to provide real security is futile, because it was not designed to have any. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature