On Mon, 31 Dec 2012 15:42:39 +0100 Tobias Klausmann <klaus...@gentoo.org> wrote:
> I _do_ think that his concerns need > to be addressed, particularly the second half of his statement. Whilst I agree that if it does debians system shouldn't undermine mozillas. I think the latest efforts are a pointless bandaid but I'm sure better solutions should come if we can get around the CAs wanting to make money issue. "Can you prove you know what certificates were issued, to whom, and who authorized them?" Accountability 101! It's not perfect, but it's a huge step forward from "Oh, this guy I know says its cool" Is it really. Introducing trust on people we don't know and can't possibly verify (yes I know the procedures that you could argue badly are better than none). What SSL protects is data between two servers and all that is required is to ensure that you are talking securely to the server or domain name you have chosen trust. Anything else is simply adding vectors of attack and false senses of security. I thought DNSSEC maybe extremely useful for ssl but it seems it may well just be the best available option at the moment as DNSSEC could do with an overhaul too first.
