[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[OT] Re: Open then gates

On 15.05.2010 08:24, Russ Allbery wrote:
> Christoph Anton Mitterer <calestyo@scientia.net> writes:
>> And personally, I really do _not_ trust some of the CAs which are
>> included/enabled per default.
> 
> Having done business with several of them, I don't trust any commercial
> CA.  This is a way more fundamental problem.  Essentially no X.509 used on
> the Internet uses trustworthy CAs.  X.509 for web authentication is, in
> practice, not an authentication mechanism.  It's solely an encryption
> mechanism.  It's almost trivial to bypass the authentication portion if
> you're familiar with the business practices of the CAs.

Amen.   PKI is a naive design and for all intents and purposes will
remain a pipe-dream.  All security relationships that is worth anything
is bilateral and no trusted third party is willing to accept enough risk
to warrent full trust.

Using public keys for auth is a good security model and the rest of x509
certs is just unnecessary overhead.

-- 
Eray
Reply to: