bugs.gnupg.org TLS certificate
antony at blazrsoft.com
Fri Mar 13 20:23:30 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 3/13/2015 10:02 AM, Ville Määttä wrote:
> On 13.03.15 15:27, Werner Koch wrote:
>> The more expensive CAs are only selling you a fashionable background
>> color for your the client's address bar.
> Essentially, that's it :).
> There are however clearly defined hard requirements to the Extended
> Validation, aka "green bar" level. That is, more involved validation of
> the organization and the person requesting the certificate. But those EV
> certs can be had for cheaper than hundreds of dollars per year.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
This topic brought to mind some interesting proposed RFCs that could
essentially eliminate the need for centralized certificate authorities.
Just wanted to get some opinions on the topics since its related to
certificate issues and the slavery of security to an external authority.
The combination of DNSSEC and DANE authentication can essentially
make a self-signed certificate as legitimate as one signed by an
"official" CA (if I'm not mistaken). There were some security
implications IIRC, but not being a professional on the subject, I'm not
sure what they were. I started implementing them on my own website and I
am very interested in seeing these proposals become official standards.
I'm also interested on anyone else's thoughts who might have more
insight into the downsides or repercussions of relying strictly on such
a system (if external CA's no longer existed, for example).
Key ID: 0x4F040744
Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Gnupg-users