Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Comment Re:What?! (Score 1) 897

The flaw isn't in the protocols, it's in your misuse of them.

The fundamental problem is that you need to be able to prove to someone who's never met you that you are who you say you are. There's just no way to do that, in software or in real life, without reference to some mutually trusted third party.

Say you're picking up theater tickets at will-call: they ask you to show an ID card which 1) you couldn't reasonably have made yourself (hence the third party), 2) has the same name on it that was used to buy the tickets, and 3) is verifiably tied to your physical identity via a photo. You have to provide all three of these elements in order to prove you own the tickets.

The solution you suggested originally -- having the user install your CA cert over a non-authenticated connection -- is like calling the box office before you leave the house to read them your driver's license over the phone. Two out of three elements are completely missing! What if someone else gets there before you do and says "Yeah, I'm spottedkangaroo, I called earlier"?

We're here to give you a computer, not a religion. - attributed to Bob Pariseau, at the introduction of the Amiga