Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?



On 8/25/2014 3:11 PM, markw at mohawksoft.com wrote:
> *Any* security infrastructure is a central point of compromise. That's the
> nature of security. You are left with either an unmanageable mess or
> forced to use or create some sort of infrastructure to manage it.

This is a gross misrepresentation. When you have a master key, theft of
the master key compromises the entire system. When you don't have master
keys, theft of a key only compromises the entity associated with that key.

You can have a manageable system without relying on master keys or key
escrow. Kerberos has been doing it for decades.


> ANY security system is vulnerable to bad actors that can gain access to
> sensitive data. With a CA on openvpn, merely regenerate your master key
> and push a new cert. When users can't connect, they have to re-validate
> and obtain a new key.

"Merely". And how, pray tell, are YOU going to know if your private root
certificate has been compromised when X.509 lacks a mechanism to detect
root certificate compromises?

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org