[Cryptography] Verisimilitrust
John Denker
jsd at av8n.com
Sat Jan 9 05:18:17 EST 2016
On 01/08/2016 01:44 PM, Viktor Dukhovni wrote:
> the code that's enforcing name constraints if often no the code
> doing the name checks, so neither knows what the other is doing.
Patient: Doctor, doctor, it hurts when I do /THIS/.
Dr. Henny Youngman: So don't do that.
> If FF imports a name-constrained .kz root, they can certainly
> restrict it to .kz names in FF, but many O/S distributions import
> the FF bundle as a "default" vetted trust store, at which point
> the name constraints are likely to not be enforced in many cases.
In other words, Francine has a perfectly usable lock on her
door, but she refuses to use it, because she heard that Oscar,
who lives across town, has a broken lock on his door, which he
refuses to fix, even though it would be easy to fix.
It still seems like a Henny Youngman problem.
Garbage in, garbage out.
More information about the cryptography
mailing list