> On 12.07.2016 г., at 13:26, Franco Fichtner <fra...@lastsummer.de> wrote: > > >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev <dan...@digsys.bg> wrote: >> >> It is trivial to play MTIM with this protocol and in fact, there are >> commercially available “solutions” for “securing one’s corporate network” >> that doe exactly that. Some believe this is with the knowledge and approval >> of the corporation, but who is to say what the black box actually does and >> whose interests it serves? > > It's also trivial to ignore that pinning certificates and using client > certificates can actually help a great deal to prevent all of what you > just said. ;)
I don’t know many users who even know that they can do this — much less actually using it. Pinning the browser vendor’s certificates does not protect you from being spied while visiting someone else’s site. This is also non-trivial to support. In the early days of DANE, Google even had a version of Chrome that supported DANE, just to kill it a bit later: https://www.ietf.org/mail-archive/web/dane/current/msg06980.html > > The bottom line is not having GOST support readily available could alienate > a whole lot of businesses. Not wanting those downstream use cases will make > those shift elsewhere and the decision will be seen as an overly political > move that in no possible way reflects the motivation of community growth. Exactly — especially as long as there is no demonstrable proof that GOST is actually broken. Daniel _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
