Please rebuild all ports that depend on PNG
Jason Hellenthal
jhellenthal at dataix.net
Sun Jun 3 13:24:27 UTC 2012
On Sun, Jun 03, 2012 at 08:14:40AM +0100, Matthew Seaman wrote:
> On 02/06/2012 23:53, Chad Perrin wrote:
> > In fact, many of the weaknesses of SSL systems as currently designed
> > could be obviated by having used OpenPGP as the basis of the system
> > rather than creating this whole PKI system for the sole purpose of making
> > corporate CAs seem "necessary" as imaginary authorities who claim to be
> > able to provide special "security" guarantees.
>
> There's very interesting work going on at the moment about publishing
> SSL keys or fingerprints via DNSSEC-secured DNS. See:
>
> http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec
>
> https://tools.ietf.org/html/draft-ietf-dane-protocol-21
>
> So anyone in control of a DNS domain and capable of enabling DNSSEC can
> issue themselves authenticable TLS certificates without having to line
> the pockets of the CAs. Server-side, support for the TLSA RR type this
> is all based on was added to the last update of BIND, which hit stable
> on Friday. Client side, support is available in Chrome and FireFox by
> various means.
>
> Other than throwing a big spanner into the works for the whole CA
> business model, this moves the responsibility for identifying the site
> owner from the CA to the DNS Registrar[*]. While the normal mode will
> be to have authenticity assured from the root, this does in principle
> permit any number of DLV-style trust anchors. Whether that can be
> parlayed into PGP style web-of-trust is an interesting question.
>
Hey! thats pretty cool. Thanks for the information Matt.
--
- (2^(N-1))
More information about the freebsd-ports
mailing list