On 17/09/11 14:03, Peter Gutmann wrote:
... What you're saying is that no-one working in an environment where they actually need SSL should trust SSL.
I honestly don't understand why you would say "...where they actually need SSL...". Let's first assume we agree on what we mean by various terms here: That "environment" is one where people who are failed by their computer communication security system suffer consequences harsher (much, much harsher!) than a few hundred (or even a few thousand) dollars of a monetary loss, and where their adversary is a government unbridled by any need to subject their surveillance projects to an approval by an independent judiciary. "SSL" is a system that depends on the security on a large bunch of "trusted third parties", all of which are selected by various software vendors and any single one of them can completely subvert the security of the said communication system. It is obvious to me then that they ~don't need~ SSL; they should be instructed to ~avoid~ SSL. Or am I wrong in my understanding of what SSL is? Mark R. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
