regarding ssl certificates
Jochen Bern
Jochen.Bern at binect.de
Thu Mar 14 19:07:19 EET 2019
(Sorry for the broken references, my MUA misplaced the e-mail I'm
*actually* replying to.)
On 03/14/2019 03:08 PM, Stephan von Krawczynski wrote:
> Some facts for you, as obviously you have not understood what a CA is worth
> that is compromised by either hackers or "authorities".
> If you want to know more, read articles about closing of CA DigiNotar, like:
> https://en.wikipedia.org/wiki/DigiNotar
>
> Then read US export laws concerning security devices.
> Then judge your US-issued certs...
Out of interest, does(*) or doesn't(**) your scenario include mechanisms
like HPKP?
(*) I'm not aware of any MUAs implementing one, just browsers, and it's
now being phased out by *them* in favor of CT, too.
(**) If not, the question of what CAs issued any *legit* certs for you
has no practical relevance on whether and which other CAs may get hacked
or judicially suborned into creating a working fraudulent one.
(Where "practical" means "you cannot expect the entire, possibly
worldwide, user population to manually strip their clients' list of
accepted CAs down to the one *you* chose".)
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
www.facebook.de/binect
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190314/57dfc31a/attachment.p7s>
More information about the dovecot
mailing list