Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!.POSTED!not-for-mail From: Ivan Shmakov Newsgroups: comp.security.misc Subject: Re: Avoid HTTPS when possible? Date: Sun, 22 Jan 2012 12:28:38 +0700 Organization: Aioe.org NNTP Server Lines: 27 Message-ID: <86k44k71bt.fsf@gray.siamics.net> References: <5b6b58.6lp.19.1@news.alt.net> NNTP-Posting-Host: FtDGZaUx6k7Bzdiv4MgYAg.user.speranza.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: abuse@aioe.org User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) X-Notice: Filtered by postfilter v. 0.8.2 Cancel-Lock: sha1:XQd15L4A+l11PDIyECbwAYMKs3I= Xref: x330-a1.tempe.blueboxinc.net comp.security.misc:337 >>>>> Lasse Kliemann writes: [...] > So I would put the SSL fingerprint of my webserver on the visiting > card, in order that users can check the fingerprint and then import > the server certificate into their browser. However, this is in vain > if some CA issues false certificates for my domain. AIUI, it's not. A CA could indeed issue a false certificate for the domain name. However, it isn't that easy to make it possess the same fingerprint, as it's the server's public key that the fingerprint is computed from. Actually, the whole point of CA's is to simplify public key exchange. In a world where everyone is able to just send his or her own public keys, or (though less secure) their respective fingerprints, to everyone, there's no need in CA. Ultimately, yes, I believe that the WoT approach will offer better security than the current CA's, but that's going to take a lot of education and responsibility. [...] -- FSF associate member #7257