[144452] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Randy Bush)
Mon Sep 12 10:47:44 2011
Date: Mon, 12 Sep 2011 16:46:46 +0200
From: Randy Bush <randy@psg.com>
To: Leigh Porter <leigh.porter@ukbroadband.com>
In-Reply-To: <D181DDABABE57E4DB72FEE00331478643BDF6E@EALPO1.ukbroadband.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> But Gregory is right, you cannot really trust anybody completely. Even
> the larger and more respectable commercial organisations will be
> unable to resist <insert intel organisation here> when they ask for
> dodgy certs so they can intercept something..
>
> No, as soon as you have somebody who is not yourself in control
> without any third party verifiably independent oversight then you have
> to carefully define what you mean by trust.
i am having trouble with all this. i am supposed to only trust myself
to identify citibank's web site? and what to i smoke to get that
knowledge? let's get real here.
with dane, i trust whoever runs dns for citibank to identify the cert
for citibank. this seems much more reasonable than other approaches,
though i admit to not having dived deeply into them all.
randy
