> I do not understand why it is a problem if a user plays with > certificates.
You DID read this part of my previous post? You quoted it. That is not answer enough? >> Rogue certificates allow attackers to create illegitimate sites that >> are indistinguishable from real sites like eBay, Google or PNC >> because their certificate hierarchy can be validated. Users then >> will be redirected to such sites through phishing or 'man in the >> middle' attacks where a compromised host in-between the user and a >> legitimate site sends traffic to an illegitimate site instead. > What should be protected is the location where _trusted_ certificates > are sought for by executables who need secure identification (web > browsers, gnupg, etc). Apparently you have never been to a website where the certificate was said to have expired and you were prompted to accept a new one. I have, several times. Social engineering to get a user who doesn't understand security to accept a bogus certificate isn't hard to do. > Even if you do that, the user can still grab a copy of the book and > copy them from there... Oh, well then, let's not protect anything, there's always some other way a user can bring in cracking tools. Let's just provide them, shall we? The kids might leave the house and not lock the door, so it doesn't do any good for us to always do it. > I am not knowledgeable either (I am a physicist). But I am sure it is > impossible to hide something which is public anyway. If you're determined enough any security can be broken, anyone can be assassinated. Yet you lock your house. Important people hire body guards. > Now, in the citation above, I understand they recommend auditing and > controlling sensitive parts of a system, which is a different story. Why bother? It's no problem, isn't that what you say? No, I don't find your arguments persuasive, nor have you demostrated a circumstance where as a user it was necessary that you set up your own certificate authorities. That's what those scripts do--you don't have to put them in the system directories--they'll put them in ~/.ssl! -- Paul Rogers [email protected] Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://www.fastmail.com - Send your email first class -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
