Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2013-12-08 📝 Original message:On Sun, Dec 8, 2013 at ...
📅 Original date posted:2013-12-08
📝 Original message:On Sun, Dec 8, 2013 at 1:07 PM, Drak <drak at zikula.org> wrote:
> Simple verification relies on being able to answer the email sent to the
> person in the whois records, or standard admin/webmaster@ addresses to prove
> ownership of the domain
Godaddy and many other CA's are verified from nothing other than a
http fetch, no email involved.
As I said, I'm willing to demonstrate if you have a domain.
> You cannot MITM SSL connections
You can, once you've obtained a certificate.
> Anyway, I take your points, but this is an area I am quite passionate about
> so it's important for me to be clear.
As I warned before, you're making my reconsider my position about the
downloads being SSL. If people are so convinced that SSL provides
protection it does not that even with an explanation and and an offer
to demonstrate then perhaps providing SSL will reduce people's
security.
... the _only_ reason I don't yet hold that position now is that I
know objectively that almost no one tests the signatures.
On Sun, Dec 8, 2013 at 1:11 PM, Drak <drak at zikula.org> wrote:
> It's not just about trust, there is the robustness factor: what if he
> becomes sick, unavailable, hit by a bus? Others need the ability to pickup
> and run with it. The control over the domain (including ability to renew
> registration, alter nameservers) needs to be with more than one person.
> That's why I suggest using the same people who have control over the
> software project at sf,github.
My understanding is that the domain is already controlled by more than
one person. You're not the first person to think of these things. :)
📝 Original message:On Sun, Dec 8, 2013 at 1:07 PM, Drak <drak at zikula.org> wrote:
> Simple verification relies on being able to answer the email sent to the
> person in the whois records, or standard admin/webmaster@ addresses to prove
> ownership of the domain
Godaddy and many other CA's are verified from nothing other than a
http fetch, no email involved.
As I said, I'm willing to demonstrate if you have a domain.
> You cannot MITM SSL connections
You can, once you've obtained a certificate.
> Anyway, I take your points, but this is an area I am quite passionate about
> so it's important for me to be clear.
As I warned before, you're making my reconsider my position about the
downloads being SSL. If people are so convinced that SSL provides
protection it does not that even with an explanation and and an offer
to demonstrate then perhaps providing SSL will reduce people's
security.
... the _only_ reason I don't yet hold that position now is that I
know objectively that almost no one tests the signatures.
On Sun, Dec 8, 2013 at 1:11 PM, Drak <drak at zikula.org> wrote:
> It's not just about trust, there is the robustness factor: what if he
> becomes sick, unavailable, hit by a bus? Others need the ability to pickup
> and run with it. The control over the domain (including ability to renew
> registration, alter nameservers) needs to be with more than one person.
> That's why I suggest using the same people who have control over the
> software project at sf,github.
My understanding is that the domain is already controlled by more than
one person. You're not the first person to think of these things. :)