oss-sec mailing list archives

Re: upstream source code authenticity checking

From: Dag-Erling Smørgrav <des () des no>
Date: Fri, 26 Apr 2013 11:47:27 +0200

Kurt Seifried <kseifried () redhat com> writes:

Dag-Erling Smørgrav <des () des no> writes:

This is exactly the logic used by web browsers to justify scaring
users away from https sites that haven't payed the Verisign tax...

Huh? That makes no sense. There's at least one free CA that has a root
cert in most browsers (http://cert.startcom.org/). I'm sorry but your
comment in this context doesn't appear to make any sense.


I wasn't aware of StartCom.  I've been using CACert, which is not
included in browsers.

My point was that browsers go to great lengths to prevent users from
visiting sites that use self-signed certificates, or certificates signed
by a CA which the browser does not know / trust, but will happily let
users submit forms on unencrypted sites without even a warning.  This is
the same "no security is better than imperfect security" logic.

DES
-- 
Dag-Erling Smørgrav - des () des no

Current thread:

Re: upstream source code authenticity checking, (continued)
- - Re: upstream source code authenticity checking Stuart Henderson (Apr 22)
- Re: upstream source code authenticity checking Eric H. Christensen (Apr 24)
  - Re: upstream source code authenticity checking Alistair Crooks (Apr 24)
    - Re: upstream source code authenticity checking Allan McRae (Apr 24)
    - Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
    - Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 25)
    - Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
    - Re: upstream source code authenticity checking Kurt Seifried (Apr 25)
    - Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
    - Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
    - Re: upstream source code authenticity checking Dag-Erling Smørgrav (Apr 26)
    - Re: upstream source code authenticity checking Alistair Crooks (Apr 26)
    - Re: upstream source code authenticity checking Kurt Seifried (Apr 26)
    - Re: upstream source code authenticity checking Eric H. Christensen (Apr 29)
    - Re: upstream source code authenticity checking Daniel Kahn Gillmor (Apr 30)
    - Re: upstream source code authenticity checking Robbie MacKay (May 01)
    - Re: upstream source code authenticity checking Alistair Crooks (May 02)
    - OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Daniel Kahn Gillmor (May 02)
    - Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Simon McVittie (May 02)
    - Re: upstream source code authenticity checking Kurt Seifried (May 02)
    - Re: upstream source code authenticity checking Russ Allbery (May 02)

(Thread continues...)