On Apr 7, 2014, at 22:51 , Thomas Klausner <wiz%netbsd.org@localhost> wrote: > On Mon, Apr 07, 2014 at 05:50:53PM +0200, Alistair Crooks wrote: >> Personally, I would never trust a CA-signed cert for this use case, > > I'm probably missing something, but what's the problem with including > one CA root certificate with pkgsrc, created by TNF, and certifying > bulk builders with it? I think he rants at the commercial CA industry. Anyway, read the paper, it seems none of the open source implementation (which are the most popular ones) they tested managed to handle all the different certificate parameters correct for all given situations… /P
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail