From owner-freebsd-security  Sun Jan  7 13:49:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP
	id F2DC237B400; Sun,  7 Jan 2001 13:49:35 -0800 (PST)
Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 14FNdr-0000AA-00; Sun, 07 Jan 2001 14:46:19 -0700
Message-ID: <3A58E3AB.1117EF2D@softweyr.com>
Date: Sun, 07 Jan 2001 14:46:19 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: Robert Watson <rwatson@FreeBSD.ORG>, security@FreeBSD.ORG
Subject: Re: Fw: Re: Antisniffer measures (digest of posts)
References: <E14FFLX-0003ok-00@smtpout.kingston-internet.net>
		<Pine.NEB.3.96L.1010107111516.27948D-100000@fledge.watson.org> <200101071925.OAA04427@khavrinen.lcs.mit.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Garrett Wollman wrote:
> 
> <<On Sun, 7 Jan 2001 11:21:16 -0500 (EST), Robert Watson <rwatson@FreeBSD.ORG> said:
> 
> > an SSL telnet does offer something that SSH does not have: the ability to
> > connect to a new host without a manual keying procedure.
> 
> Some people would say that this is a liability.  I've got a number of
> particularly argumentative users here who insist that trusted third
> parties of any kind are fundamentally bad.  While I don't necessarily
> agree, it is true that in any X.509 configuration it is necessary to
> be very careful about which CAs one trusts and for which purposes.
> (For our SSL applications here, we will only trust our own CA, since
> it is the only one capable of authenticating our users.)

Amen.  The idea of a single large CA that can be trusted for everything
is ludicrous, the stuff business plans are made of.

Like ssh, the X.509 certificate mechanism is a tool that must be used
properly to function.  Pounding nails with a jewelers screwdrive isn't
and effective activity either.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message