On 26/07/2017 6:20 AM, Adam Borowski
wrote:
https provides no protection against targetted attacks by government agents. The CA cartel model consists of 400+ CAs, many of them outright controlled by governments, most of the rest doing what they're told (no, warrants are are a story for nice kids). Clients in general trust _any_ CA, which means you're only as secure as the worst CA. Ie, https protects you against Joe Script Kiddie but not against a capable opponent. Except there are new-ish ways to limit the scope from 400+ CAs to just the one you use. c.f. Certification Authority Authorization (CAA) DNS Resource https://tools.ietf.org/html/rfc6844 ... if APT wishes to support this. |
Attachment:
signature.asc
Description: OpenPGP digital signature