On Wed, Jan 07, 2009 at 08:37:37AM +0000, Matthew Seaman wrote:
> 
> You're kind of stuck then aren't you -- at least in respect TLS/SSL and
> x509 certificates?  If you don't trust any of the bodies who have the
> capability to authenticate the owners of a particular cryptographic
> key/certificate on your behalf, then you're going to have to do that
> authentication yourself.  Which is cool if you happen to know the movers
> and shakers in the FreeBSD world personally and you can sit down with them
> and compare key fingerprints.  Or even if you can get an introduction to
> them through a mutual acquaintance.

Not exactly.  See my comments up the thread a bit about alternative
site/cert agreement verification.

All the certifying authority *really* does for you is offer out-of-band
verification that the cert that has been delivered to you does indeed
belong with the IP address that delivered it.  It obviously doesn't
actually do that worth a damn, though, as the evidence of Verisign's
(among others) continued use of MD5 shows.

Multiply corroborated independent sources prove a far more trustworthy
verifier in the aggregate, in my opinion, than commercial entities
operating on an authentication model that amounts to an appeal to
authority fallacy.

If you think Verisign certification "proves" anything about the character
of the person who bought the cert in the first place, you might want to
rethink that -- even if you assume an incompetent Verisign employee
hasn't accidentally sabotaged the authentication process this time.

Authentication of an entity and the decision whether to trust that entity
are two separate things, and should be treated as such.

-- 
Chad Perrin [ content licensed OWL: http://owl.apotheon.org ]
Quoth Anonymous C Professor: "To work on a program with the compiler in
debug mode and then to sell it compiling it without the debug option is
like learning to swim with floaters and then taking them off to swim
across the Atlantic."

Attachment: pgp5SSdmd6gF2.pgp
Description: PGP signature

Reply via email to