On 26/07/2017 6:20 AM, Adam Borowski wrote: > https provides no protection against targetted attacks by government agents. > The CA cartel model consists of 400+ CAs, many of them outright controlled > by governments, most of the rest doing what they're told (no, warrants are > are a story for nice kids). Clients in general trust _any_ CA, which means > you're only as secure as the worst CA. Ie, https protects you against Joe > Script Kiddie but not against a capable opponent. >
Except there are new-ish ways to limit the scope from 400+ CAs to just the one you use. c.f. /Certification Authority Authorization/ (/CAA/) /DNS/ Resource https://tools.ietf.org/html/rfc6844 ... if APT wishes to support this.
signature.asc
Description: OpenPGP digital signature
