Ian G wrote, On 2008-10-20 22:41: > Nelson B Bolyard wrote: >> It is widely agreed that, since KCM has no central revocation facility, > > KCM is not central, period. Talking about revocation is a strawman.
I should have said "central revocation SERVICE". Sadly, it DOES have a central revocation facility now, a central source for that awful 10MB file that every KCM user must now use. >> Further, new KCM keys should be tested against those files before being >> added to the user's trusted list. This has given rise to the proposal >> to add code to do that to the browser. But the prospect of adding such >> enormous CKLs to browser downloads seems to be unacceptable to nearly >> everyone in Mozilla land. > > What has this got to do with KCM? Is KCM being used to create keys > now? Or are you saying that the KCM module has to now test all the > PKI keys too? If you're going to have the browser use KCM for SSL servers, then the browser has need of a revocation method for KCM, just like SSH does, and that presently means dragging around that 10MB file. >> I think that says that KCM really must be relegated to the uses that >> really don't care about MITM, not even in the least tiny little bit. > Nelson, you sound really bitter about this. SSH has protected > people for a decade or more. If you can't see why that is, well, > perhaps you can at least see that people are not abandoning it, and > it will be protecting for another decade. I know that lots of SSH users have still never downloaded the 10MB file+program package and run it locally. Yes, I know why they cling to SSH, even though they do not use the Debian Key Finding program/file. It's because they don't understand the danger, and simply like the warm and fuzzy feeling they have from using SSH in blissful ignorance. >> Personally, I have no such uses. I have no need for encryption that is >> vulnerable to MITM, but evidently lots of people think they do. > If your choice is to pay that cost, yourself, that's fine. Pay? Just what is that cost? The cost of a cert from a free CA? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto