Re: Security?
On Thu, Sep 12, 2013 at 1:57 AM, David Guntner <david@guntner.com> wrote:
> Maybe this discussion would best be taken to the Off Topic list? ;)
>
Certificates are supposed to refer to policies.
For example,
This certificate is for checking that the website you've reached
is really our website.
This certificate is for customers to be sure that they are sending
their credit card number to our processing servers and not phishing
servers.
This certificate is for exchanging with our business partners in
ordinary money transactions.
Etc.
Certificates are not really appropriately named. Nor are policies.
There aren't enough templates for specific classes of certificates.
It's hard to believe and understand why greed so blinds the major
players, but creating a proper certificate is protected by copyright
and patent and trade secret law.
A pox on the major players, for their greed, but I wander.
This is not the most elegant way for users of an OS that is intended
to be securable to discuss security policy, but we have to discuss
security policy a lot more than we have.
If we don't, we're stuck re-hashing trivial stuff like password length
and salt constants and how to start and end an SSL/TLS session safely.
It doesn't matter how good the tech is if we don't know how and when
to apply it.
I don't think this is off topic, much though some of the posts have
been more than a little tongue-in-cheek and some of the posts have
maybe straddled the border between appropriate and excessive paranoia.
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: