[AusNOG] Lets Encrypt
Paul van den Bergen
paul.vandenbergen at gmail.com
Wed Nov 19 14:51:18 EST 2014
There are clearly 2 purposes to certificates and SSL that essentially are
at cross-purposes.
1) encrypt traffic in transit.
2) certify the identity of the other end.
Both boil down to trust.
The certificate that encrypts traffic still needs to have a trusted third
party to verify the certificate to prevent man-in-the-middle style attacks.
How can you build trust in the certificate provider? I'm pretty sure both
for-profit and under resourced and free aren't working. This looks like
privately resourced and free. The next option would be not-for-profit and
not-free - i.e. an actual at-cost basis providing some "pain" to prevent
noise. I'm especially interested in the bit-coin-DNS-trust-chain-like
approach[citation needed]
https://en.bitcoin.it/wiki/Alternative_chain
Correctly identifying someone on the internet is almost the definition of a
joke.
Certificates don't actually identify people. They identify a DNS name and
or IP address. The transport is trusted to the DNS.
If you can't verify the DNS name holder, how can you identify the DNS entry
corresponds to the requestor of the certificate for that domain?
worse case, automatic certificate generation for a DNS entry - you're no
worse off.
the real problem isn't technical or regulatory... it's legal... DNS is an
extension of copyright...
On Wed, Nov 19, 2014 at 2:31 PM, Matt Palmer <mpalmer at hezmatt.org> wrote:
> On Wed, Nov 19, 2014 at 12:18:42PM +1100, Jeremy Visser wrote:
> > On 19/11/14 10:34, Ernie wrote:
> > > It's going to be a non-profit organization that issues free
> > > certificates for any website.
> > >
> > > My question is, will this screw up companies like Verisign/Thawte
> > > sales?
> >
> > Given that StartSSL have been around for years, and do exactly that: no.
>
> No, they don't do "exactly that". StartSSL's free tier is *explicitly*
> only
> for personal use, and yes, they *do* check. Let's Encrypt appears to be
> ambivalent around the use that a certificate is put to, other than "it is
> used to secure traffic to your site".
>
> - Matt
>
> --
> You have a 16-bit quantity, but 5 bits of it are here and 2 bits of it are
> there... and 2 bits of it are back here and 3 bits of it are up there. The
> C code to extract useful data had so many >> and << operators in it that it
> looked like the C++ version of "hello world". -- Matt Roberds, ASR
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
--
Dr Paul van den Bergen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20141119/70cee58f/attachment.html>
More information about the AusNOG
mailing list