[Ach] StartSSL for Business Sysadmins
ianG
iang at iang.org
Mon Jan 13 11:06:38 CET 2014
Hi Tobias,
On 13/01/14 12:44 PM, Tobias Dussa (SCC) wrote:
> Hi,
>
> On Mon, Jan 13, 2014 at 12:25:35PM +0300, ianG wrote:
>> My point is this: I would advise ACH to fight battles we can win.
>> Yes, we can win the battle of httpd config, it's bounded to only a
>> 100 or so params. We can win StartSSL, or all of the hundred or so
>> smaller systems.
>> IMHO: we cannot win the battle of Better x509, CAs, certs, etc.
>> Or, if you can, you're a Better man than I, and the thousand others
>> that also tried, and failed, and wasted countless years on it.
>
> So essentially you don't think we can help make things more secure, X.509-wise,
> because it is too big a task. Fair enough, I suppose. Like I said, I do agree
> that it is a huge problem and takes a lot of work.
Well, more or less. "Too big a task" isn't the real reason but I guess
it's a sort of acceptable compromise :)
> Still, even modest progress would make a big difference IMHO, and I am dead
> certain that a LOT of people would really appreciate sound advice on this
> matter. Yes, there are many, many guides and papers on this, and most of them
> are utter bullshit. If we agree that we won't cover anything X.509-related
> because it's too much of an effort, so be it. I do think that exactly BECAUSE
> it is so hard apparently people need good advice all the way, even if it is not
> the all-encompassing Grand Unified Theory of All Things X.509.
That's absolutely true. People would appreciate good advice, and it's
really needed. I spent around 6 years on that project, so I know that,
for sure. Which might explain why I'm a bit brutal on this topic...
If you wanted to do that, provide good advice, I'd say set up a separate
document and a separate mailing list.
iang
More information about the Ach
mailing list