Le 17/05/2013 17:43, Russ Allbery a écrit : > [...] > 4. Hijack that metadata identity request so that it goes to their server > instead of mine. This can be done in any number of ways (DNS cache > poisoning, compromise of www.eyrie.org, compromise of my account on > www.eyrie.org, TCP active MITM, etc.) depending on the situation. > [...] > The obvious way to authenticate the connection to www.eyrie.org to > retrieve my metadata is to validate the www.eyrie.org certificate against > a CA, which is where the CA cartel is reintroduced into the picture.
But if www.eyrie.org is compromised (as you seem to allow), then having a CA-certified certificate won't help, will it? I wouldn't rely on a trust chain involving an online private key in this context... -- Stéphane -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51965590.2030...@debian.org
