On 08/10/2015 08:38 AM, Volker Braun wrote: > On Monday, August 10, 2015 at 11:42:16 AM UTC+2, vdelecroix wrote: > > I agree with you: from a technical point of view this is stupid. > > > It is not. There is no security without the chain of trust. Maybe in a > parallel universe where everybody is so far on the autistic spectrum > that they religiously verify finger prints over a second channel, but > not in the real world. >
You don't need to verify the fingerprint. If you don't have to pay for certs, you can make them valid for eternity, and only warn the user when they change. There's only one opportunity for a MITM -- when you first "save" the cert -- and that's no different than the CA model (where did you get your root certs?). -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
