[H-GEN] https + apache
Christopher Biggs
listjunkie at pobox.com
Mon Jul 21 06:00:17 EDT 2003
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
Russell Stuart <russell at stuart.wattle.id.au> moved upon the face of the 'Net and spake thusly:
> This should
> be drop dead easy, and I expect it is on many platforms. No one could
> call running the "openssl" program drop dead easy, however.
The openssl program is more of a test driver for libssl than a true
front end. Or, it could be seen as the collection of low-level
command-line operations upon which a true front end could be built.
The major difference between OpenSSL at $0.00 and the CA software
packages from RSA, Wedgetail et al. at circa $20,000.00 per seat is
precisely in the "boring" usability testing, interface polishing and
extensive documentation which open-source projects tend to lack, or at
least leave until last.
>
> This is where I insert my little rant about the OSI PKI system (for want
> of a better term).
>
X.509 is the standard covering the certifcate formats and interchange messages.
> Now consider a different scenario. I go to a web site and am presented
> with multiple certs like this:
>
> Company XXX has banked with us for the last 20 years
> -- cert signed by bank BBB
> Company XXX has been reselling out palm pilots for 5 years
> -- cert signed by Palm, US.
> Company XXX lease this retail property at address AAA off
> us for 8 years
> -- cert signed by property owner OOOO
> Company XXX has been a registered busness with $$$ turnover for
> 9 years
> -- cert signed by the ASIC
>
Interesting idea. Of course, you're then left with the problem of how
to do you tell the difference a valid signature from the
"ComWestNatPacwealthNZional Banking Corporation" and a forged one;
you're back to square one...
> And that is what is wrong with PKI. It seeks to replace our "human web
> of trust relationships" with some artificial hierarchal thing, with all
> knowing gods at the top. I don't think it will ever work. PGP's web of
> trust is in some ways a much closer fit.
You nearly triggered my libertarian-vs-statist rant there. I'll leave
it at this: "Trust Us, we're from the Government and we're here to
help you" (or "...a Fortune 100 company...") is shorthand for "Bend
Over, Here It Comes Again".
I still don't think it's as bad you picture it, however. You're still
not separating the issues of "am I really talking to FooBarSoft Inc."
and "how do I decide if I trust FooBarSoft". SSL was never intended
to address the second issue.
--cjb
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list