[H-GEN] https + apache

[Christopher Biggs]

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Russell Stuart <russell at stuart.wattle.id.au> moved upon the face of the 'Net and spake thusly:

> This should
> be drop dead easy, and I expect it is on many platforms.  No one could
> call running the "openssl" program drop dead easy, however.

The openssl program is more of a test driver for libssl than a true
front end.  Or, it could be seen as the collection of low-level
command-line operations upon which a true front end could be built.

The major difference between OpenSSL at $0.00 and the CA software
packages from RSA, Wedgetail et al. at circa $20,000.00 per seat is
precisely in the "boring" usability testing, interface polishing and
extensive documentation which open-source projects tend to lack, or at
least leave until last.

>
> This is where I insert my little rant about the OSI PKI system (for want
> of a better term).
>

X.509 is the standard covering the certifcate formats and interchange messages.

> Now consider a different scenario.  I go to a web site and am presented
> with multiple certs like this:
>
>     Company XXX has banked with us for the last 20 years
>        -- cert signed by bank BBB
>     Company XXX has been reselling out palm pilots for 5 years
>        -- cert signed by Palm, US.
>     Company XXX lease this retail property at address AAA off
>     us for 8 years
>        -- cert signed by property owner OOOO
>     Company XXX has been a registered busness with $$$ turnover for
>     9 years
>        -- cert signed by the ASIC
>

Interesting idea.  Of course, you're then left with the problem of how
to do you tell the difference a valid signature from the
"ComWestNatPacwealthNZional Banking Corporation" and a forged one;
you're back to square one...

> And that is what is wrong with PKI.  It seeks to replace our "human web
> of trust relationships" with some artificial hierarchal thing, with all
> knowing gods at the top.  I don't think it will ever work.  PGP's web of
> trust is in some ways a much closer fit.

You nearly triggered my libertarian-vs-statist rant there.  I'll leave
it at this: "Trust Us, we're from the Government and we're here to
help you" (or "...a Fortune 100 company...")  is shorthand for "Bend
Over, Here It Comes Again".

I still don't think it's as bad you picture it, however.  You're still
not separating the issues of "am I really talking to FooBarSoft Inc."
and "how do I decide if I trust FooBarSoft".  SSL was never intended
to address the second issue.   

--cjb



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/