[Discuss] Why the dislike of X.509?

Richard Pieri richard.pieri at gmail.com
Mon Aug 25 13:22:46 EDT 2014


On 8/25/2014 12:25 PM, John Abreau wrote:
> So you hate OpenVPN, which uses the user's own private self-generated
> SSL certificate authority and does *not* require the centralized
> certificate authorities, because SSL in web browsers requires
> the centralized certificate authorities?

The SSL root CAs are a type of centralized CA: they're public CAs. It's
not the publicness that makes them centralized; it's that all of the
certificates they issue are chained to their root certificates. A
private, self-signed CA is still a central CA: all certificates issued
by it are chained to that authority's root certificate. This is the very
definition of centralized.

It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated
them since the early 1990s. I hate them because they're single points of
compromise for entire systems. I hate them because compromise is
undetectable by users.

-- 
Rich P.



More information about the Discuss mailing list