Ah Python, you have spoiled me for all other languages

Johannes Bauer dfnsonfsduifb at gmx.de
Sat May 23 09:24:52 EDT 2015 

On 23.05.2015 13:21, Tim Daneliuk wrote:

> Trust has context.  You're going to that site to read an article.  This
> is rather different than, say, going somewhere to transact commerce or
> move money.

Sure, for your site it doesn't really make a difference. And, as I said
before, having a self-signed CA certificate doing https is still WAY
better than not having it. Especially if you have PFS-only ciphersuites
configured (I didn't check, but you should if you're unsure). Because
this effectively means that you're protected against passive
eavesdropping, no matter what.

> So, there is increasing thought that we should all just
> run https everywhere all the time.  But then we run into the signing problem.
> I am hoping that we will soon see free or inexpensive CAs to make that
> problem go away.  See:

Running TLS everywhere is an awesome idea and I'm all for it. So good
that you've already made the switch :-)

But I don't think inexpensive CAs would make the signing problem go away.

I think the major flaw of the X.509 certificate PKI we have today is
that there's no namespacing whatsoever. This is a major problem, as the
Government of Untrustworthia may give out certifictes for google.de if
they wish to do so.

In my opinion, it would be great to have a suffix-option in X.509 (maybe
there's even an extension for this already and I'm not aware -
regardless, nobody is using it if there is such a thing). For example,
there'd be root certificates in the certificate store:

CA1: PF=.com signs -> CA2: PF=.google.com
CA3: PF=.de

So CA1 could give out certificates for
foo.com
www.google.com

And CA2 could give out certificates for
www.google.com

And CA3 could give out certificates for
google.de

But CA1 could never sign any .de domain webserver certificate. It would
only ever get more restrictive down the chain.

Sounds like it's trivial to implement, I wonder why it's not in place.
It must have some huge drawback that I can't think of right now.

Cheers,
Johannes


-- 
>> Wo hattest Du das Beben nochmal GENAU vorhergesagt?
> Zumindest nicht öffentlich!
Ah, der neueste und bis heute genialste Streich unsere großen
Kosmologen: Die Geheim-Vorhersage.
 - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1 at speranza.aioe.org>

More information about the Python-list mailing list