On Wed, Jan 07, 2009 at 08:37:37AM +0000, Matthew Seaman wrote: > > You're kind of stuck then aren't you -- at least in respect TLS/SSL and > x509 certificates? If you don't trust any of the bodies who have the > capability to authenticate the owners of a particular cryptographic > key/certificate on your behalf, then you're going to have to do that > authentication yourself. Which is cool if you happen to know the movers > and shakers in the FreeBSD world personally and you can sit down with them > and compare key fingerprints. Or even if you can get an introduction to > them through a mutual acquaintance.
Not exactly. See my comments up the thread a bit about alternative site/cert agreement verification. All the certifying authority *really* does for you is offer out-of-band verification that the cert that has been delivered to you does indeed belong with the IP address that delivered it. It obviously doesn't actually do that worth a damn, though, as the evidence of Verisign's (among others) continued use of MD5 shows. Multiply corroborated independent sources prove a far more trustworthy verifier in the aggregate, in my opinion, than commercial entities operating on an authentication model that amounts to an appeal to authority fallacy. If you think Verisign certification "proves" anything about the character of the person who bought the cert in the first place, you might want to rethink that -- even if you assume an incompetent Verisign employee hasn't accidentally sabotaged the authentication process this time. Authentication of an entity and the decision whether to trust that entity are two separate things, and should be treated as such. -- Chad Perrin [ content licensed OWL: http://owl.apotheon.org ] Quoth Anonymous C Professor: "To work on a program with the compiler in debug mode and then to sell it compiling it without the debug option is like learning to swim with floaters and then taking them off to swim across the Atlantic."
Description: PGP signature