Date: Sun, 07 Jan 2001 14:46:19 -0700 From: Wes Peters <wes@softweyr.com> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Robert Watson <rwatson@FreeBSD.ORG>, security@FreeBSD.ORG Subject: Re: Fw: Re: Antisniffer measures (digest of posts) Message-ID: <3A58E3AB.1117EF2D@softweyr.com> References: <E14FFLX-0003ok-00@smtpout.kingston-internet.net> <Pine.NEB.3.96L.1010107111516.27948D-100000@fledge.watson.org> <200101071925.OAA04427@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote:
>
> <<On Sun, 7 Jan 2001 11:21:16 -0500 (EST), Robert Watson <rwatson@FreeBSD.ORG> said:
>
> > an SSL telnet does offer something that SSH does not have: the ability to
> > connect to a new host without a manual keying procedure.
>
> Some people would say that this is a liability. I've got a number of
> particularly argumentative users here who insist that trusted third
> parties of any kind are fundamentally bad. While I don't necessarily
> agree, it is true that in any X.509 configuration it is necessary to
> be very careful about which CAs one trusts and for which purposes.
> (For our SSL applications here, we will only trust our own CA, since
> it is the only one capable of authenticating our users.)
Amen. The idea of a single large CA that can be trusted for everything
is ludicrous, the stuff business plans are made of.
Like ssh, the X.509 certificate mechanism is a tool that must be used
properly to function. Pounding nails with a jewelers screwdrive isn't
and effective activity either.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A58E3AB.1117EF2D>