[liberationtech] Question EFF CA Let's Encrypt
Al Billings
albill at openbuddha.com
Wed Nov 19 10:24:52 PST 2014
You realize this is the same thing that the entire CA system currently uses and the purpose of the project is not to “fix” the CA system, right? This aspect isn’t any weaker than what people already do (if you’ve ever bought an SSL cert). They aren’t trying to address any DNS issues and making improvements to a system doesn’t really require fixing everything that can go wrong (which is an excuse for inaction).
Al
> On Nov 19, 2014, at 9:55 AM, Richard Brooks <rrb at g.clemson.edu> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> My question boils down to:
>
> DNS (not DNSSEC) is unauthenticated, and a number
> of spoofing, poisoning attacks have been shown. One
> of the goals of the certs is to authenticate the
> other end of the communications, but I get the
> impression that this approach gives no extra verification
> beyond the fact that DNS sent you to the site
> at some point in time.
>
> How does this provide more security than self-signed
> certs?
>
> If you do verification from multiple geographic locations,
> that may be OK but still seems a bit dodgy.
>
> I really like the goal, I feel like I must be missing
> something here.
More information about the liberationtech
mailing list