On Fri, Dec 08, 2006 at 04:15:15AM -0800, David Schwartz wrote:
>
> > Actually, David, the truth is that your really not getting these
> > guarentees that
> > your looking for.
>
> Correct. In a technical sense, *you* do not get the guarantees, your end of
> the HTTPS connection does. Whether you choose to trust your end or not is a
> separate issue.
Does this debate belong here? It has been hashed out many times on the
cryptography list, and does not appear to be specific to OpenSSL.
Yes, the security of unauthenticated TLS is rather questionable.
Yes, the security of authenticated TLS with root CAs has many known
issues, but is generally stronger than unauthenticated TLS. Not all CAs
(especially the process they use to verify domains, by e.g. confirming
unauthenticated delivery of email to administrator accounts) are worthy
of the same level of trust. It is difficult to only trust a CA to vouch
for a subset of the DNS namespace, .... The marriage of convenience
between IETF protocols and X.509v3 leaves much to be desired.
I would like to suggest that we leave it there, without additional
rounds of back and forth counter-claims.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
