OT: problems with the X.509 PKI business [was: Re: Gcrypt-devel Digest, Vol 66, Issue 5]
Milo
gnupg at oneiroi.net
Fri Aug 13 20:05:51 CEST 2010
Hi.
On 07/25/2010 04:07 AM, Daniel Kahn Gillmor wrote:
> On 07/24/2010 06:37 AM, Milo wrote:
>> On 07/24/2010 10:36 AM, gcrypt-devel-request at gnupg.org wrote:
>>
>>>> A counterpoint would be that the whole X.509 PKI business is entirely
>>>> broken and does not provide any security at all.
>>>
>>> agreed, sadly.
>
>>
>> "whole X.509 PKI business is broken and does not provide any security at
>> all" - very interesting statement. Could you elaborate on that?
>
> For one example, X.509 sets up a situation that encourages centralized,
> hierarchical reliance on an unaccountable cabal of Certificate Authorities:
>
> http://lair.fifthhorseman.net/~dkg/tls-centralization/
>
> --dkg
It's hard to disagree that it is seriously flawed however in practice
it's somehow far from being "entirely broken" and "not providing any
security at all". There is small number (if any) of real life evidences
for serious violation/exploitation of CA model weaknesses (on the other
side it seems to be unprobable that it is not exploited...). I'm not
negating need of research on better substitute - my point is that x.509
as is, is still providing some degree of security and it's better then
nothing.
--
Regards,
Milo
More information about the Gcrypt-devel
mailing list