[dundee] Finux on about SSL again
Arron M Finnon
finux at finux.co.uk
Sun Sep 5 09:39:04 UTC 2010
--
Arron "finux" Finnon
www.finux.co.uk - www.twitter.com/f1nux - www.facebook.com/finux
PGP: http://finux.co.uk/finux.asc
On Sun, 2010-09-05 at 00:03 +0100, Kris Davidson wrote:
> Okay now onto that guy, I'm all for paranoia and perhaps at a DEFCON
> convention it's probably a good idea to do stuff like this he just
> seems to be ignoring the forest for the trees on this one. As for the
> trust issue, I do think CAs and domain registrars ( even ignoring the
> security stuff on this one, people just mess up DNS and domain camp)
> should do more vetting of customers. It costs some where in the region
> of 10k to 50k - depending on several variables - to become a CA, I
> think a process should be put in place for removing a CA if they issue
> too many dodgy certificates and don't revoke them in a timely fashion.
This is what OCSP was designed to do. I also think he accepts that this
isn't a one granny solution, i like the idea manly because he is taking
ownership for his own vetting of certificates
Its a proactive step, i tend to check certs anyway so its not much more
of a step, however my only issue is the person your validating probably
has no idea. I onced called my teclo's provider because i had a cert
warning in their payment processing page, and was told to clear my
browser cache, which i thought was amusing seems as HTTPS isn't cached,
so i can imagine asking for the fingerprint of their cert would have
just gone straight over their head
More information about the dundee
mailing list