Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [GOATSE SECURITY] Clench: Goatse's way to say "screw you" to certificate authorities

From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 8 Sep 2010 21:04:33 +0200
So now it's a matter of scaling?

I'd rather stay on the grounds of certificates, where scaling has been
one of the primary focuses since the early 2k.

In my opinion it's pretty much useless reinventing the wheel; the idea
behind certificates is as much a security medium as is the party being
actively recognized.

Back to your implementation, you need to know who the passphrase is
coming from and most importantly, you need means to verify that party.

So it boils down to who's dictating who is trusted or not.
You or Them.





On Wed, Sep 8, 2010 at 8:53 PM, Andrew Auernheimer <gluttony () gmail com> wrote:

This is no different then installing a client cert


Yes, exactly. This is as equally secure as installing a client cert.
Except it is achieved without a client cert, using only a password, in
a manner that can be more easily scaled to lots of users.




Trying to not sound like a dick,
dvs.






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: