[Ach] StartSSL for Business Sysadmins

Tobias Dussa (SCC) tobias.dussa at kit.edu
Mon Jan 13 10:44:37 CET 2014


Hi,

On Mon, Jan 13, 2014 at 12:25:35PM +0300, ianG wrote:
> My point is this:  I would advise ACH to fight battles we can win.
> Yes, we can win the battle of httpd config, it's bounded to only a
> 100 or so params.  We can win StartSSL, or all of the hundred or so
> smaller systems.
> IMHO:  we cannot win the battle of Better x509, CAs, certs, etc.
> Or, if you can, you're a Better man than I, and the thousand others
> that also tried, and failed, and wasted countless years on it.

So essentially you don't think we can help make things more secure, X.509-wise,
because it is too big a task.  Fair enough, I suppose.  Like I said, I do agree
that it is a huge problem and takes a lot of work.

Still, even modest progress would make a big difference IMHO, and I am dead
certain that a LOT of people would really appreciate sound advice on this
matter.  Yes, there are many, many guides and papers on this, and most of them
are utter bullshit.  If we agree that we won't cover anything X.509-related
because it's too much of an effort, so be it.  I do think that exactly BECAUSE
it is so hard apparently people need good advice all the way, even if it is not
the all-encompassing Grand Unified Theory of All Things X.509.

Cheers,
Toby.
-- 
To err is human.  To really screw up it takes a computer.

----

Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa at kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4490 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140113/9f6251e5/attachment.bin>


More information about the Ach mailing list