Date: Sun, 3 Jun 2012 09:24:22 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Matthew Seaman <matthew@freebsd.org> Cc: Chad Perrin <code@apotheon.net>, freebsd-ports@freebsd.org Subject: Re: Please rebuild all ports that depend on PNG Message-ID: <20120603132422.GA27292@DataIX.net> In-Reply-To: <4FCB0EE0.1040004@FreeBSD.org> References: <CAGFTUwMo51dWxM2p4STaqt-=NjzEuUH5U6nmbiuzVMtK6_W3dQ@mail.gmail.com> <20120602122658.0f86debc@scorpio> <CADLo8388dHiEZCxdXz9A=Ur5qPVzcfbxh43ZGgzfkbWk9r%2B%2BJg@mail.gmail.com> <20120602140703.004264ea@scorpio> <20120602225148.GA8486@hemlock.hydra> <4FCB0EE0.1040004@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 03, 2012 at 08:14:40AM +0100, Matthew Seaman wrote: > On 02/06/2012 23:53, Chad Perrin wrote: > > In fact, many of the weaknesses of SSL systems as currently designed > > could be obviated by having used OpenPGP as the basis of the system > > rather than creating this whole PKI system for the sole purpose of making > > corporate CAs seem "necessary" as imaginary authorities who claim to be > > able to provide special "security" guarantees. > > There's very interesting work going on at the moment about publishing > SSL keys or fingerprints via DNSSEC-secured DNS. See: > > http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec > > https://tools.ietf.org/html/draft-ietf-dane-protocol-21 > > So anyone in control of a DNS domain and capable of enabling DNSSEC can > issue themselves authenticable TLS certificates without having to line > the pockets of the CAs. Server-side, support for the TLSA RR type this > is all based on was added to the last update of BIND, which hit stable > on Friday. Client side, support is available in Chrome and FireFox by > various means. > > Other than throwing a big spanner into the works for the whole CA > business model, this moves the responsibility for identifying the site > owner from the CA to the DNS Registrar[*]. While the normal mode will > be to have authenticity assured from the root, this does in principle > permit any number of DLV-style trust anchors. Whether that can be > parlayed into PGP style web-of-trust is an interesting question. > Hey! thats pretty cool. Thanks for the information Matt. -- - (2^(N-1))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120603132422.GA27292>