On Mon, Feb 13, 2012 at 3:16 PM, Chris Palmer <[email protected]> wrote:
On Mon, Feb 13, 2012 at 3:08 PM, Kyle Hamilton <[email protected]> wrote:We can continue to outlaw it, in which case it will continue to exist outside of our sight. We can continue to do the things we've tried to do before, to break what currently exists and to try to prevent technological subversion in an arms race. That will only ensure that other standards bodies will step up to fill the void of workable standards for authentication, and ensure that companies will still do anything they can to make a buck and find ways to subvert our in-loco-parentis "you can't do that, it's for your own good" security model. It's time for us to get over ourselves.For network operators wanting to MITM their own client devices, the solution is simple: install the MITM certificate as a trusted root certificate at the time the device is provisioned (and/or in later updates). Windows GPOs, for example. There is no need for such operators to get or use a *public* authority for this purpose. Everybody wins; what's the problem?
Do you have any idea how hard some software (*cough*Firefox*cough*) currently makes it to provision trust anchors for anything, much less anything resembling this purpose? Do you have any idea how much it costs to indoctrinate someone into the peculiar worldview where X.509 actually makes sense? We MUST NOT force network and systems administrators and image builders to fight us and our well-meaning yet ultimately misguided attempts to make the world a better place. -Kyle H
Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
