CA safety (Re: Microsoft supporting tyrants?)
reiter at fsfeurope.org
Fri Mar 25 09:46:41 UTC 2011
Am Mittwoch, 23. März 2011 14:39:04 schrieb Werner Koch:
> On Wed, 23 Mar 2011 09:46, reiter at fsfeurope.org said:
> > As for the CA safety: This is an important issue. I think two things
> > should happen: We need an initiative to evaluate root CAs and publish
> > lists.
> I don't agree. The whole PKA business is broken. A big part in this is
> that it is, well, a business. But it is not the only problem. The
> centralized approach does not match todays communication reality .
The slides were not available under  to me.
>  Slides in German for a talk on this topic are at
> ftp://ftp.g10code.com/people/werner/talks/magdeburg2010.pdf .
But I think you've missunderstood me, I agree that we need a better model.
However we should - at the same time - secure the current model that there is.
This does not make it perfect, but currently implementations are really
lacking so does some of the organisational support around it.
To me business can particiapte doing some work, but as always, they need to be
controlled, e.g. by rules set by the people and controlled by the government.
This is the same with most companies. They can do good, if the playing field
> There is only one model which works, and that is the model we hacker
> refuse to implement for ordinary users: ~/.ssh/known_hosts. For all our
> important stuff we use this ssh model because it is technically simple
> to implement and simple to explain . Try to explain X.509 or the
I know many hacker that never check the fingerprints. Also this model has its
weaknesses when you desire to communicate with computer that you rarely
connect to. Still, I like the approach.
However X.509 or the web of trust model is not completely out of the windows
for me, it just needs other efforts to succeed. Why is there no maintained
list of CAs and their behaviour on the internet, that I know of?
We have lists and wikis about everything.
> What to do? Use self-signed X.509 certificates or gpg with
> --always-trust. Add the know_host stuff from ssh and design a good UI
> to handle the error cases (key change, name changes, real MITM attacks).
> Modern web browsers already have such UIs but their problem is that they
> get into action way to often - unless you pay the Internet tax.
I agree it would be useful to implement this model with many security
applications e.g. for X.509, OpenPGP.
FSFE -- Deputy Coordinator Germany (fsfeurope.org)
Your donation makes our work possible: www.fsfeurope.org/help/donate.en.html
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the Discussion