I'm not surprised, I even see the benefit, but for our not so small use case, it borders on the irrelevant. Not worth accepting the risk of less than stellar security game.
-
-
Let me put it this way. I’m hopeful *for* a future where we can say more than “just use TLS”. One isn’t impossible, just how we’ve been saying to achieve it doesn’t actually work in practice. Uptane’s young. But promising.
-
"Just use TLS" isn't easy nor necessarily useful when you think about it.https://twitter.com/caovc/status/1039768056493432832 …
-
(That tweet being about the current Ubuntu release btw. -
@ubuntu also doesn't manage to "just use TLS") -
Complete opposite approach here — I’m trying to drill into what’s really going on with “just use tls”. Is it more expensive? Is it operational? I put together https://github.com/dakami/jfe a while back and want to see it’s faults.
-
This started with “I can’t believe file oriented crypto failed” and it’s stupid, it effectively always does. But it’s true, there is resistance to universal TLS, so what’s the truth there?
-
Load balancing is often done on a DNS level, so every mirror (it's trivial to become a mirror) would need a certificate for the same address. If you start giving out certs in bulk you may as well not bother with TLS.. Checking file integrity is not a bad idea for this situation.
-
Interesting. Another problem DNSSEC doesn't have, since CNAMEs (in theory, anyway) get to CNAME the trust relationship too.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.