On 6 Oct, 11:02 pm, tobias.oberst...@tavendo.de wrote:
Personally, I assume root CA private keys of any CA vendor are owned
by
the NSA anyway.
There's no rule that says you have to use a "root CA" signed
certificate
for your TLS connections.
Sure, in theory, but there are multiple practical problems when using
self-signed certs or certs signed by a CA not built into browsers. As a
starter, here are 3:
- enterprise networks might block those right away with no way for the
user
to accept self-signed or import alien CA certs
- the user experience is bad: Firefox scares with dialogs and multiple
steps
of overcoming those
- with WebSocket, browers will not even show a dialog! WebSocket are so
called "subresources", and browsers will never render dialogs for these
So in practice, I _have_ to use a CA that is built into all major
browsers.
You're assuming a lot here. Perhaps TLS is broken for all the uses
you're interested in - that doesn't mean it's broken for everyone else's
uses.
*This* is probably now sufficiently off-topic, though...
Jean-Paul
/Tobias
Jean-Paul
Really, TLS is broken.
We need a new scheme. For encryption session keys, Diffie-Hellman is
available, and provides perfect forward secrecy naturally.
For authentication, we need a peer-based system like PGP has, not
relying on centrally managed trust.
I know. Not going to happen any time soon ..
/Tobias
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
