Ian G:
Nelson B Bolyard wrote:
It is widely agreed that, since KCM has no central revocation facility,
KCM is not central, period. Talking about revocation is a strawman.
I think that's the point he is making.
What's your point? Sounds to me like most of the last 1000 security
bugs. Patch it, or remain vulnerable?
Patching is fine, they did. However the (SSH) keys don't have a validity
period attached to them, nor can they be revoked. At least CAs could
revoke the vulnerable keys, which CAs really did.
If you encounter a cert from StartCom today you can be assured that it's
not a weak key. You can't do that with KCM (easily) nor is there an
authority who cares and takes responsibility. Nor would Mozilla be in
the situation to take over the role of CAs. The idea of scanning for
weak keys was not feasible.
What has this got to do with KCM? Is KCM being used to create keys
now? Or are you saying that the KCM module has to now test all the
PKI keys too?
Compare that to the above and you understand the little difference
between having a third party and KCM. Beside that the self-signed certs
don't provide any value...
Nelson, you sound really bitter about this. SSH has protected
people for a decade or more.
You can use PKI with SSH. Not many uses it, but that's not SSH's fault.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
