bugs.gnupg.org TLS certificate
Antony Prince
antony at blazrsoft.com
Fri Mar 13 20:23:30 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 3/13/2015 10:02 AM, Ville Määttä wrote:
> On 13.03.15 15:27, Werner Koch wrote:
>> The more expensive CAs are only selling you a fashionable background
>> color for your the client's address bar.
>
> Essentially, that's it :).
>
> There are however clearly defined hard requirements to the Extended
> Validation, aka "green bar" level. That is, more involved validation of
> the organization and the person requesting the certificate. But those EV
> certs can be had for cheaper than hundreds of dollars per year.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
This topic brought to mind some interesting proposed RFCs that could
essentially eliminate the need for centralized certificate authorities.
Just wanted to get some opinions on the topics since its related to
certificate issues and the slavery of security to an external authority.
The combination of DNSSEC[1] and DANE[2] authentication can essentially
make a self-signed certificate as legitimate as one signed by an
"official" CA (if I'm not mistaken). There were some security
implications IIRC, but not being a professional on the subject, I'm not
sure what they were. I started implementing them on my own website and I
am very interested in seeing these proposals become official standards.
I'm also interested on anyone else's thoughts who might have more
insight into the downsides or repercussions of relying strictly on such
a system (if external CA's no longer existed, for example).
[1]https://tools.ietf.org/html/rfc4035
[2]https://tools.ietf.org/html/rfc6698
- --
Antony Prince
Key ID: 0x4F040744
Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744
URL:
https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xA6E162424F040744
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVAzkuAAoJEKbhYkJPBAdEYQkIAJtCFlUcXZP7jFBD8Ken4wvK
62TOFcwR8S8No0xmeFgCevwCzkB9B+wzFkI6mX1MvXIMZyhHUNstVqKw9Lq2lOj/
DTdyiV6L/XiZ9GpQd/2Ekd6GhwPGD4aoyenzrPsx1O0Ox5Wqc8cdG52qSiyaiQmT
jCHy2A4TED087jtfzR7sBbHmHUatNQD5hYzAmK9ZJocfzUMrZO7hzhRfwA2lzLon
UQdER3G+ob8L5/TpG/4Q3JoHCyECis3fws0HgUYobZz76zcQILod2nXTwlaEYFws
4Byz+iN7UEUWW+bFsDdOhHcZ2qP/sEbDKn9D1UKG+Y7xpIb9hHZinhlDPKg65Dk=
=wVE0
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list