-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Chad Perrin wrote: | On Tue, Jan 06, 2009 at 11:11:52AM -0900, Mel wrote: |> On Tuesday 06 January 2009 10:31:26 Chad Perrin wrote: |>> Out-of-band corroboration of a certificate's authenticity is kind of |>> necessary to the security model of SSL/TLS. A self-signed certificate, |>> in and of itself, is not really sufficient to ensure the absence of a man |>> in the middle attack or other compromise of the system. |>> |>> On the other hand, I don't trust Verisign, either. |> In the less virtual world, we only trust governments to provide identity |> papers (manufactured by companies, but still the records are kept and |> verified by a government entity). |> Instead of trying to regulate the internet and provide a penal system, |> governments would do much better taking their responsibility on these issues. |> It shouldn't be so hard to give every citizen the option to "get an online |> certificate corresponding with their passport" and similarly for Chambers of |> Commerce to provide certificates for businesses. | | My distrust of of the certifying authority is not mitigated by replacing | Verisign with FedCorp. Institutional incompetence is typically a result | of bureaucracy -- and even major corporations don't get as mired in | bureaucracy as government. |
You're kind of stuck then aren't you -- at least in respect TLS/SSL and x509 certificates? If you don't trust any of the bodies who have the capability to authenticate the owners of a particular cryptographic key/certificate on your behalf, then you're going to have to do that authentication yourself. Which is cool if you happen to know the movers and shakers in the FreeBSD world personally and you can sit down with them and compare key fingerprints. Or even if you can get an introduction to them through a mutual acquaintance. Oh, wait -- I seem to have reinvented the PGP web-of-trust thing. Shame there's nothing quite like it for x509 certificates. The free Thawte service for signing S/MIME certs for individual e-mail users is about the closest, but Thawte is just a wholly owned subsidiary of Verisign, and they going to be stongly motivated not to internally compete with their profitable business of selling expensive web server certificates. Even so, while PGP signatures work well between a normal circle of correspondents, I can't see how they could work practically to authenticate a service designed to be open to the general public. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAklkadAACgkQ8Mjk52CukIzhfQCfVGxx8HBGH/bvWG4VOowDVcTe /78AnR1gDCiA+1kb2agWKC99H54ImW4T =YVhl -----END PGP SIGNATURE----- _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"