Re: OT: crypto, auth, CAs, web-of-trust, and phony certs

To: "Dr. Ed Morbius" <dredmorbius@gmail.com>, Debian-User list <debian-user@lists.debian.org>
Subject: Re: OT: crypto, auth, CAs, web-of-trust, and phony certs
From: Heddle Weaver <weaver2world@gmail.com>
Date: Thu, 24 Mar 2011 12:00:13 +1000
Message-id: <[🔎] AANLkTikn2rJO=WUMnRSqLaveLpWg3VJLHh=cVfNfHUQn@mail.gmail.com>
In-reply-to: <[🔎] 20110324011809.GE3588@altaira.krellpowersys.exo>
References: <[🔎] 20110324011809.GE3588@altaira.krellpowersys.exo>

On 24 March 2011 11:18, Dr. Ed Morbius <dredmorbius@gmail.com> wrote:

Apropos some of the recent discussion we've had here of various Debian
signing keys.

A major CA (certificate authority) has issued fake SSL certs for
Google.com, Yahoo.com, and Skype.com (and apparently 6 other sites)
after its signing keys were compromised.

http://threatpost.com/en_us/blogs/phony-web-certificates-issued-google-yahoo-skype-others-032311

Under the CA / SSL model, you trust a website because you trust the CA.

Personally, I think the Dane factor is worth more than a look:

http://tinyurl.com/4z54hzq

Regards

Weaver.
--

Religion is regarded by the common people as true, 
by the wise as false, 
and by the rulers as useful. 

— Lucius Annæus Seneca.

Terrorism, the new religion.

Reply to:

References:
- OT: crypto, auth, CAs, web-of-trust, and phony certs
  - From: "Dr. Ed Morbius" <dredmorbius@gmail.com>

Prev by Date: apt-get trying to remove manually installed packages
Next by Date: Recommendations on groupware
Previous by thread: OT: crypto, auth, CAs, web-of-trust, and phony certs
Next by thread: apt-get trying to remove manually installed packages
Index(es):
- Date
- Thread