- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Sat, 14 Dec 2013 20:55:17 +0000
- To: Brian Smith <brian@briansmith.org>
- cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, William Chan (???) <willchan@chromium.org>, Paul Hoffman <paul.hoffman@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
In message <CAFewVt6j0yaRboARj=wpaVO2s9M6j7_za-GXLp9ZWqkFtSys8A@mail.gmail.com> , Brian Smith writes: >We need to focus our effort on that problem. > >There are already at least three commercial CAs, that browsers trust, that >give away free certificates: [...] That's not really the key problem. The key problem is that there are too many CAs which have been willing or coerced to hand over bits, which allowed certain people to lie about who they were. Forcing or coercing people to use a known broken solution, which only pretends to offer security, is at best deceptive and certainly worse than letting people knowingly use plaintext. Until you can offer a secure alternative, trying to force people to use snake-oil security is just wrong. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Saturday, 14 December 2013 20:55:43 UTC