[Ach] StartSSL for Business Sysadmins

[ianG]

My point is this:  I would advise ACH to fight battles we can win.

Yes, we can win the battle of httpd config, it's bounded to only a 100 
or so params.  We can win StartSSL, or all of the hundred or so smaller 
systems.

IMHO:  we cannot win the battle of Better x509, CAs, certs, etc.  Or, if 
you can, you're a Better man than I, and the thousand others that also 
tried, and failed, and wasted countless years on it.

iang




On 12/01/14 22:21 PM, Tobias Dussa (SCC) wrote:
> Hi,
>
> On Sun, Jan 12, 2014 at 09:17:56PM +0300, ianG wrote:
>> PKI is a nightmare and it is designed to be so.  There is no way to
>> make it Better, only more compliant with someone's guide or other.
>
> I beg to differ, but that doesn't really matter.
>
> What I do think is important is that we really shouldn't ignore the fact that
> X.509 is not an option in many users' and admins' lives, and that in many
> situations it actually is the best available way to meet security goals at a
> reasonable cost.
>
> We should instead help people to use it in a better way.  Instead of bitching
> that Microsoft or Debian or Mozilla or whoever includes a truckload of CAs that
> are trusted by default, we should tell people about it and what to do about it.
> Instead of declaring that we won't cover CAs at all because there are
> commercial CAs with questionable CP/CPSs out there we should tell people about
> the alternatives and what to look for.  Instead of ranting about how CAs can
> easily fake certificates for eavesdropping on individual connections, let's
> offer some instructions on how to detect and maybe avoid that.
>
> Based on my own experience, I think that that is indeed a huge subject field, so
> I think it was a good decision to leave it as is for the first release.  But I
> am also fairly certain that ignoring the subject won't make any of the problems
> go away.
>
> Just my €.02.
>
> Cheers,
> Toby.
>