BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Why the dislike of X.509?
- Subject: [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Fri, 29 Aug 2014 11:00:26 -0400
- In-reply-to: <540070AE.9060404@mattgillen.net>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <sjmmwarchcd.fsf@securerf.ihtfp.org> <53FE1FCB.7010405@gmail.com> <sjmvbpcbji2.fsf@securerf.ihtfp.org> <53FF75C6.7@gmail.com> <sjmha0vblcy.fsf@securerf.ihtfp.org> <540070AE.9060404@mattgillen.net>
On 8/29/2014 8:23 AM, Matthew Gillen wrote: > My understanding (and it's possible I made this up, I can't seem to find > any supporting documentation with a cursory search of the intertubes) is > that the main approach to dealing with CA compromises is to use > chaining: you have the root CA(s) locked up and offline in high > security. That's how we expect X.509 root CAs to operate. Problem is, X.509 has no mechanism to verify that the root CA that is allegedly locked up, offline, in a secure vault has not been compromised. We are required to trust that, for example, the SSL root certificates are good solely on the say-so of companies that care more about their public images and stock prices than in their customers' security. -- Rich P.
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- From: nuno at aeminium.org (Nuno Sucena Almeida)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: jabr at blu.org (John Abreau)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] Why the dislike of X.509?
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] vnc
- Prev by Date: [Discuss] Why the dislike of X.509?
- Next by Date: [Discuss] vnc
- Previous by thread: [Discuss] Why the dislike of X.509?
- Next by thread: [Discuss] Why the dislike of X.509?
- Index(es):
