 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Jun 10, 2011, at 9:34 AM, Bill Ricker wrote: > > On Fri, Jun 10, 2011 at 8:12 AM, Edward Ned Harvey <blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org> wrote: >> Go get a free > certificate from > > a signature with a free CA cert deserves no trust - it verifies the > email address was the email address on a certain date only. Which for all useful purposes is useless. This is only one step removed from the bogus certificates for Google and Amazon that were cut a few months ago. These demonstrate the fundamental flaw in concept of certificate authorities, a flaw that we've known about for at least two decades. Specifically: there is no mechanism to verify the CAs themselves. There is no way to detect that a CA has been subverted or compromised. PGP was written not to use CAs specifically for this reason. This makes PGP a little more cumbersome to use, but makes it impervious to S/MIME's most egregious flaw. --Rich P.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
