[Discuss] Why the dislike of X.509?

[jabr at blu.org (John Abreau)]

So the problem is that in order to connect to your company's VPN, you're
forced to trust the syadmin who administers the company's VPN server, since
he controls the company's "centralized" CA root for the VPN server?


On Mon, Aug 25, 2014 at 1:22 PM, Richard Pieri <richard.pieri at gmail.com>
wrote:

> On 8/25/2014 12:25 PM, John Abreau wrote:
> > So you hate OpenVPN, which uses the user's own private self-generated
> > SSL certificate authority and does *not* require the centralized
> > certificate authorities, because SSL in web browsers requires
> > the centralized certificate authorities?
>
> The SSL root CAs are a type of centralized CA: they're public CAs. It's
> not the publicness that makes them centralized; it's that all of the
> certificates they issue are chained to their root certificates. A
> private, self-signed CA is still a central CA: all certificates issued
> by it are chained to that authority's root certificate. This is the very
> definition of centralized.
>
> It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated
> them since the early 1990s. I hate them because they're single points of
> compromise for entire systems. I hate them because compromise is
> undetectable by users.
>
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6