[OT] Re: Open then gates
On 15.05.2010 08:24, Russ Allbery wrote:
> Christoph Anton Mitterer <calestyo@scientia.net> writes:
>> And personally, I really do _not_ trust some of the CAs which are
>> included/enabled per default.
>
> Having done business with several of them, I don't trust any commercial
> CA. This is a way more fundamental problem. Essentially no X.509 used on
> the Internet uses trustworthy CAs. X.509 for web authentication is, in
> practice, not an authentication mechanism. It's solely an encryption
> mechanism. It's almost trivial to bypass the authentication portion if
> you're familiar with the business practices of the CAs.
Amen. PKI is a naive design and for all intents and purposes will
remain a pipe-dream. All security relationships that is worth anything
is bilateral and no trusted third party is willing to accept enough risk
to warrent full trust.
Using public keys for auth is a good security model and the rest of x509
certs is just unnecessary overhead.
--
Eray
Reply to: