From owner-freebsd-ports@FreeBSD.ORG  Sun Jun  3 07:14:54 2012
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BDDC710657AF
	for <freebsd-ports@FreeBSD.org>; Sun,  3 Jun 2012 07:14:54 +0000 (UTC)
	(envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 4807A8FC0A
	for <freebsd-ports@FreeBSD.org>; Sun,  3 Jun 2012 07:14:54 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	q537ElbZ093850
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Sun, 3 Jun 2012 08:14:48 +0100 (BST)
	(envelope-from matthew@FreeBSD.org)
X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q537ElbZ093850
Authentication-Results: smtp.infracaninophile.co.uk/q537ElbZ093850;
	dkim=none (no signature); dkim-adsp=none
Message-ID: <4FCB0EE0.1040004@FreeBSD.org>
Date: Sun, 03 Jun 2012 08:14:40 +0100
From: Matthew Seaman <matthew@FreeBSD.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Chad Perrin <code@apotheon.net>
References: <CAGFTUwMo51dWxM2p4STaqt-=NjzEuUH5U6nmbiuzVMtK6_W3dQ@mail.gmail.com>
	<20120602122658.0f86debc@scorpio>
	<CADLo8388dHiEZCxdXz9A=Ur5qPVzcfbxh43ZGgzfkbWk9r++Jg@mail.gmail.com>
	<20120602140703.004264ea@scorpio>
	<20120602225148.GA8486@hemlock.hydra>
In-Reply-To: <20120602225148.GA8486@hemlock.hydra>
X-Enigmail-Version: 1.4.1
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigADC575AAAC037280168010DE"
X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Cc: freebsd-ports@FreeBSD.org
Subject: Re: Please rebuild all ports that depend on PNG
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jun 2012 07:14:54 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigADC575AAAC037280168010DE
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 02/06/2012 23:53, Chad Perrin wrote:
> In fact, many of the weaknesses of SSL systems as currently designed
> could be obviated by having used OpenPGP as the basis of the system
> rather than creating this whole PKI system for the sole purpose of maki=
ng
> corporate CAs seem "necessary" as imaginary authorities who claim to be=

> able to provide special "security" guarantees.

There's very interesting work going on at the moment about publishing
SSL keys or fingerprints via DNSSEC-secured DNS.  See:

http://www.internetsociety.org/articles/dane-taking-tls-authentication-ne=
xt-level-using-dnssec

https://tools.ietf.org/html/draft-ietf-dane-protocol-21

So anyone in control of a DNS domain and capable of enabling DNSSEC can
issue themselves authenticable TLS certificates without having to line
the pockets of the CAs.  Server-side, support for the TLSA RR type this
is all based on was added to the last update of BIND, which hit stable
on Friday. Client side, support is available in Chrome and FireFox by
various means.

Other than throwing a big spanner into the works for the whole CA
business model, this moves the responsibility for identifying the site
owner from the CA to the DNS Registrar[*].  While the normal mode will
be to have authenticity assured from the root, this does in principle
permit any number of DLV-style trust anchors.  Whether that can be
parlayed into PGP style web-of-trust is an interesting question.

	Cheers,

	Matthew

[*]  It's not hard to convince a DNS Registrar that you should have the
rights to a domain name -- you just keep giving them money.

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--------------enigADC575AAAC037280168010DE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/LDucACgkQ8Mjk52CukIwgLgCgkuzkBn365Yx4kZTTkqy24CW7
UYoAoIlQCmdmRUI1kieDtNU4QGKXCrkE
=x1YH
-----END PGP SIGNATURE-----

--------------enigADC575AAAC037280168010DE--