Ah Python, you have spoiled me for all other languages
Marko Rauhamaa
marko at pacujo.net
Sat May 23 13:05:52 EDT 2015
Johannes Bauer <dfnsonfsduifb at gmx.de>:
> I think the major flaw of the X.509 certificate PKI we have today is
> that there's no namespacing whatsoever. This is a major problem, as
> the Government of Untrustworthia may give out certifictes for
> google.de if they wish to do so.
But you're fine with the Government of Germany, I take it? Or any
accredited German CA?
Even well-meaning CA's do a lousy job. I remember when I purchased a
domain certificate from a reputable CA. How did they verify I was a
rightful representative of the domain? They called the phone number I
had filled in the application form -- since somebody (me) picked up the
phone, they accepted my application as legitimate.
When an HTTPS URL is displayed with the green lock icon, all it means is
that someone has paid good money for the certificate.
> Sounds like it's trivial to implement, I wonder why it's not in place.
> It must have some huge drawback that I can't think of right now.
How would your scheme address .com, .net, .org etc?
Marko
More information about the Python-list
mailing list