On 8/25/2014 3:11 PM, [email protected] wrote: > *Any* security infrastructure is a central point of compromise. That's the > nature of security. You are left with either an unmanageable mess or > forced to use or create some sort of infrastructure to manage it.
This is a gross misrepresentation. When you have a master key, theft of the master key compromises the entire system. When you don't have master keys, theft of a key only compromises the entity associated with that key. You can have a manageable system without relying on master keys or key escrow. Kerberos has been doing it for decades. > ANY security system is vulnerable to bad actors that can gain access to > sensitive data. With a CA on openvpn, merely regenerate your master key > and push a new cert. When users can't connect, they have to re-validate > and obtain a new key. "Merely". And how, pray tell, are YOU going to know if your private root certificate has been compromised when X.509 lacks a mechanism to detect root certificate compromises? -- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
