[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fingerprint of the archive signing key

On Tue, Jun 29, 2004 at 02:39:51AM +0200, martin f krafft wrote:
> I think we should have a page explaining the key and its trust
> basis, and also publish the key's fingerprint. If that page could be
> SSL-tunneled and signed with a certificate christened by an official
> CA (which the SPI would buy), then it'd be basically bulletproof.

SSL adds approximately zero security unless you validate the server
certificate. I bet you've never done that in your life for
https. CRYPTO-GRAM had some choice remarks on the importance of https
in internet security a few months ago.

The "Official CAs" are so insecure they are a joke. I bet you don't
have a secure path to trust them. And you shouldn't trust them even if
they did; they'll hand out a certificate to anybody. Their purpose is
to provide a comfort blanket to stupid people so that they don't feel
scared about handing their credit card number over as blithely on the
internet as they do in most shops.

Trying to secure a credit card transaction online is a waste of time;
credit cards are inherantly insecure. *Nobody tries*. They just put up
a convincing simulation to stop people giving them flak over
"security". Trying to leverage this infrastructure to provide real
security is futile, because it was not designed to have any.

  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

Reply to: