[Discuss] Why the dislike of X.509?

Richard Pieri richard.pieri at gmail.com
Mon Aug 25 14:23:06 EDT 2014


On 8/25/2014 1:57 PM, John Abreau wrote:
> So the problem is that in order to connect to your company's VPN, you're
> forced to trust the syadmin who administers the company's VPN server,
> since he controls the company's "centralized" CA root for the VPN server?

More generally, even if the sysadmin is trustworthy there is no way for
me, the user, to know if someone else has obtained unauthorized access
to the escrow. Which is to say, I'm expected to blindly trust that the
system hasn't been compromised by bad actors without any proof at all
that this is the case.


> The part I don't get is the claim that OpenVPN is vulnerable because
> the public infrastructure that OpenVPN DOES NOT USE is vulnerable.

Like I wrote before, it's not the publicness of the CA; it's the
centralness. Public or private, any CA is a single point of compromise
for its entire domain.

-- 
Rich P.



More information about the Discuss mailing list