Date: Sun, 03 Jun 2012 08:14:40 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: Chad Perrin <code@apotheon.net> Cc: freebsd-ports@FreeBSD.org Subject: Re: Please rebuild all ports that depend on PNG Message-ID: <4FCB0EE0.1040004@FreeBSD.org> In-Reply-To: <20120602225148.GA8486@hemlock.hydra> References: <CAGFTUwMo51dWxM2p4STaqt-=NjzEuUH5U6nmbiuzVMtK6_W3dQ@mail.gmail.com> <20120602122658.0f86debc@scorpio> <CADLo8388dHiEZCxdXz9A=Ur5qPVzcfbxh43ZGgzfkbWk9r%2B%2BJg@mail.gmail.com> <20120602140703.004264ea@scorpio> <20120602225148.GA8486@hemlock.hydra>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigADC575AAAC037280168010DE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 02/06/2012 23:53, Chad Perrin wrote: > In fact, many of the weaknesses of SSL systems as currently designed > could be obviated by having used OpenPGP as the basis of the system > rather than creating this whole PKI system for the sole purpose of maki= ng > corporate CAs seem "necessary" as imaginary authorities who claim to be= > able to provide special "security" guarantees. There's very interesting work going on at the moment about publishing SSL keys or fingerprints via DNSSEC-secured DNS. See: http://www.internetsociety.org/articles/dane-taking-tls-authentication-ne= xt-level-using-dnssec https://tools.ietf.org/html/draft-ietf-dane-protocol-21 So anyone in control of a DNS domain and capable of enabling DNSSEC can issue themselves authenticable TLS certificates without having to line the pockets of the CAs. Server-side, support for the TLSA RR type this is all based on was added to the last update of BIND, which hit stable on Friday. Client side, support is available in Chrome and FireFox by various means. Other than throwing a big spanner into the works for the whole CA business model, this moves the responsibility for identifying the site owner from the CA to the DNS Registrar[*]. While the normal mode will be to have authenticity assured from the root, this does in principle permit any number of DLV-style trust anchors. Whether that can be parlayed into PGP style web-of-trust is an interesting question. Cheers, Matthew [*] It's not hard to convince a DNS Registrar that you should have the rights to a domain name -- you just keep giving them money. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigADC575AAAC037280168010DE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/LDucACgkQ8Mjk52CukIwgLgCgkuzkBn365Yx4kZTTkqy24CW7 UYoAoIlQCmdmRUI1kieDtNU4QGKXCrkE =x1YH -----END PGP SIGNATURE----- --------------enigADC575AAAC037280168010DE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FCB0EE0.1040004>