Hi, (Is it within the list charter to discuss theoretical background?)
On 09/01/2014 08:48 PM, maxigas wrote: > Excellent point and thanks for the tool! Indeed, fingerprint > verification is the absolute weak point of SSH. This is about trust relationship model. And the end-to-end trust relationship model used by SSH - while not always feasible as is - is much better than the "military" model of X.509, which actually dooms adoption of encryption technologies. If you do not like the end-to-end model, then you can build something on top of it. This tool is an example of it. (I do not want to argue whether better or not.) With the military model you could build something *despite* of the built-in model. And my main point would be that it is hightime to come up with something, based on real-life use cases which uses x.509 (just because it is well supported), and works around its broken trust relationship model. This could solve some ssh-related use cases as well. Problem is that I (and a lot of other people here) could come up with technologically sound solutions, but no one yet came up with something which have a sustainable business model behind it as well. (When I use the term "business model" I do not necessarily mean a money driven setup: It includes those things which drive open source projects, like linux kernel or apache development.) _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
