Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] System security and public policy [was: Anyone seen this gizmo yet?]



On 2009-09-08 18:27 +0900 (Tue), Edward Middleton wrote:

> With only a domain name check it doesn't tell you who the holders of the
> domain are.  Without that information it is pretty difficult to assess
> the trustworthiness of the site.

It's easy to look up the holders of the domain in the whois database.
However, even with that information, it can be difficult to assess
the trustworthiness of a site. So here we see again a decision to do
what you can do consistently, and not do partially what you cannot do
completely.

The vital thing that the cert provides is that, once you've decided to trust
a particular certificate holder, you from that point on know that when you
return to the site, you are talking to that same certificate holder, or
someone to whom he's delgated that domain name.

(Actually, this is not quite true in that if your intervals between
visits are long enough, the domain could be allowed to expire, fall into
the hands of someone hostile, and they could have a new certificate
issued. On the other hand, that's arguably the fault of the original
holder of the domain name, and there are plenty of other security
mess-ups that the original holder could make that would result in
similar problems.)

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974
           Functional programming in all senses of the word:
                   http://www.starling-software.com


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links