On Wed, Oct 30, 2013 at 09:15:44AM +0000, Vipul Agarwal wrote: > How about if we use a SSL certificate signed by debian's own root CA which > can be shipped with the distros? If you want to be sure that TLS is not b0rken, you have to kick out each CA, and to manually check each key again. What's announced as being trusted by one single CA you're trusting in, will not be checked in any other way by common implementations, and there is no warning message. This concept is flawed, and we all have to face it. Yours, VB. -- Volker Birk Oberer Graben 4, 8400 Winterthur, Schweiz mailto:vb@dingens.org http://fdik.org
Attachment:
pgpo3GUHbEu7N.pgp
Description: PGP signature