[Cryptography] Commercial PKI as dog poop
Viktor Dukhovni
cryptography at dukhovni.org
Thu May 13 02:04:49 EDT 2021
On Wed, May 12, 2021 at 02:52:53PM +0000, Salz, Rich via cryptography wrote:
> > (In an optimal world, we wouldn't have to trust the CDN, but this will require a TLS without the 'T'...)
>
> The relationship between a business and its CDN is a contractual
> agreement between the two parties. You shouldn’t care about the CDN
> about as much as you care about what gateways they have in their DMZ,
> and so on: in other words, complain to the company if something is
> broken.
Certainly for things like OS software updates downloaded by tens of
millions of users (or more), a CDN certificate adds some minimal
additional assurance beyond the vendor's signature of the software
update, presumably also checked by the installer.
Of course there's all the fine software that's installed and updated
via:
curl -sL https://github.com/joeshmoe/coolwarez/... | bash -
Most of the time, I worry more about the suply chain (bits at rest) than
the transmission channel, though both warrant attention.
--
Viktor.
More information about the cryptography
mailing list