| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Sep 2010 21:04:33 +0200 From: Christian Sciberras <uuf6429@...il.com> To: Andrew Auernheimer <gluttony@...il.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: [GOATSE SECURITY] Clench: Goatse's way to say "screw you" to certificate authorities So now it's a matter of scaling? I'd rather stay on the grounds of certificates, where scaling has been one of the primary focuses since the early 2k. In my opinion it's pretty much useless reinventing the wheel; the idea behind certificates is as much a security medium as is the party being actively recognized. Back to your implementation, you need to know who the passphrase is coming from and most importantly, you need means to verify that party. So it boils down to who's dictating who is trusted or not. You or Them. On Wed, Sep 8, 2010 at 8:53 PM, Andrew Auernheimer <gluttony@...il.com> wrote: >> This is no different then installing a client cert > > Yes, exactly. This is as equally secure as installing a client cert. > Except it is achieved without a client cert, using only a password, in > a manner that can be more easily scaled to lots of users. > >> >> >> Trying to not sound like a dick, >> dvs. >> >> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists