I think a fragmented root is ideal, as long as its clear who you are trusting i would rather have the EU sign off on some, US on others, Russia/china on theirs, there is no need to get everything signed by the US (in fact politically AND technically it is a much worse solution).
Is there some reason they can't just put multiple signatures on the records, so the US, Russia, China, etc, could all sign the entire root if they wanted to?
But you should go to the next obvious step/question: How much will the entities holding the.com and.org keys charge for signing cnn.com, slashdot.org and so on?
Presumably, exactly the same amount they currently charge for those domain names. Isn't the idea to make it the standard, so that whenever you buy a domain name you also get whatever signatures/keys/etc you need to be able to make dnssec work on your domains?
1) If you are using https/ssh/ipsec/openvpn properly, and someone spoofs your dns so you attempt to connect to the wrong server, you will get a warning/error. So what is DNSSEC's added value here?
Or you'll just get an unencrypted page and no error, and only notice if you're actually paying attention.
So someone tell me, what real value does DNSSEC add?
It prevents spoofed DNS responses, even if there is a mitm. This means that you can use DNS for public key distribution (so there's no reason to ever be forced to pay for a "normal" SSL certificate; only the EV ones where they check your real-world identity provide any added value) and probably all sorts of other cool things.
It's not a scam. It would just be plain stupid to accept an SSL certificate that was signed by anyone. Just because a site says "Hi, I'm eBay!" doesn't mean that it is. CAs sign the certificate as "proof" that it is really eBay.
No. It would be stupid to give all the special UI cues for a secure site, with an unverified certificate. SSL with an unverified certificate is approximately as secure as plain http with no encryption, and should be treated the same. (And "signed by any random CA, maybe even a different one than last time" should not be the same as "verified", but that's a different stupidity...)
f you think that the commercial CAs are running a racket, you don't need to take part. Really. [...] You only need the CAs when you are communicating with people who don't already know you
So you do have to take part, because the browser makers have decided that self-signed SSL is deserving of error messages due to being somehow less secure than plain http. Therefore making it a "racket" instead of just a "scam".
Having a CA funded by anyone but the website also doesn't work, since the site needs to get a certificate from the CA before going live.
I don't see why a site requesting a CA needs to be live. Consider FooCA, a for-pay CA that users subscribe to, or that ISPs subscribe to on behalf of their users. (There are other models --- this is just an example). If BarInc wants a certificate from FooCA, BarInc just applies to FooCA as soon as BarInc incorporates and obtains BarInc.com. Why would BarInc.com need to be live at this point?
If FooCA just gives BarInc a cert, how do they extract any sort of payment from the visitors? Once the cert is in the wild, anyone can use it to verify BarInc.com. So FooCA would have to not provide it to anyone until asked (and paid) by one of their customers.
The CA is only involved in issuing the certificate, nobody talks to them per site visit. Having the visitors instead of site owner pay the CA would require changing this, which doesn't seem feasible.
I'd rather have a robust CA system so that nobody has to be in that group of fooled people
It shouldn't be the users getting fooled, just some of the perspectives servers. And since only some of them are fooled, when the user asks all of them they'll get different answers and know that something's up.
I actually think the CA system is much more fragile, since you only have to fool one person once to get an evil cert you can screw anyone with.
Perspectives also adds significant latency to the connection and has other technical problems
It will add latency, but that can probably be limited to the first connection with a scheme like how SSH remembers certs. It also probably has scalability issues and would have privacy issues if anything was ever logged (but not much worse than if say the.com nameservers started logging requests). What other problems do you see?
There are a couple solutions to the incentive problem:
Make users pay CAs to validate websites: this puts the economic incentives in the right place, but users will resent paying for what used to be "free". Personally, though, I'd subscribe to an enhanced validation service.
Change CAs into non-profits: the problem with this approach is that funding would then have to come from the government or some other organization. Can you imagine "PayPal, stop accepting payments for contraceptives or we'll revoke your certificate, you liberal hippies"?
I wish I could come up with better ideas.
Having a CA funded by anyone but the website also doesn't work, since the site needs to get a certificate from the CA before going live. And unless it's ICANN running the CA, a site might need to get certs from multiple CAs if people in different countries or with different browsers want to talk to them.
Hmm, there's a thought. Self-signed certs, with the root cert fingerprint available as a DNS record, using DNSSEC. Then get the real-world identity info from 'whois'.
Or use something based on "can't fool all of the people all of the time" like Perspectives (see sig), where instead of having a CA that gives the site owner a certificate, there are a bunch of public servers that you ask whether they see the same key you see for whatever site you're going to.
So consider the only substantive reason given in the IWF's response, which is that notifying the host "may undermine a police investigation." This could hypothetically be true in some cases â" if police are preparing to move in on a suspected child pornographer, but he finds out that his ISP has removed content from his account after a notification from the IWF, he might know that he's about to be caught, and delete any incriminating pictures from his hard drive.
Doesn't this only really make sense if there's some connection between the police investigation and being put on the list?
Imagine if nobody was allowed to tell anybody "hey, I think what you're doing might be illegal". Because of course there's a chance that it really is illegal and that the police are investigating, and if the person told this decided "hey, you're right, I guess I'll stop", well, you've just interfered and prevented the investigation from succeeding.
Maybe they just care more about persecuting people than they do about reducing unlawfulness...
(That's the ability of entangled photons to influence each other, no matter how far apart they might be.)
That's not what entanglement is. It's knowing "this is currently the same as that" or "this is currently the opposite of that" without knowing what "this" or "that" actually is. There is no "connection" or "influence", just a relation that says knowing what "this" is tells you about what "that" is (until it gets changed by interacting with the environment).
IANAS (Scientist) but I believe it has something to do with the prevalent carbon dating method relying on a form of circular logic: the age of a soil strata is based off of how old the object in it is, and the object is dated by which strata type it is in.
There's also the fact that it relies on the level of radioactive carbon in a piece of organic material. This is flawed, because carbon/CO2 in our atmosphere has varied in amount through time and by location.
Wikipedia tells me that radiocarbon dating is only good back to about 60k years, and that it is very well calibrated back to 26k years by checking against tree rings and similar.
Aside from all that, I just love tormenting Ruby fanatics. They're as defensive and strident as any C geek, though, unlike the C geeks, Ruby/Rails people can't point to any performance increases to justify their fanaticism.
I thought that basically their entire argument was that they can (supposedly) increase programmer performance by some huge amount.
I do not believe (but of course IANAL) that you can use GPL v3 code in iPhone applications, as they have to be DRM signed by Apple. However, you can make GPL v2 applications for the iPhone.
I'm pretty sure that only applies to software that's bundled with the hardware. So Apple / AT&T can't sell iPhones with GPLv3 software preloaded, but putting GPLv3 programs in the app store should be OK.
(This is of course discriminatory and non-free, but nobody seems to care about that.)
but in volume it seems pretty clear to me that people start GPL projects
Why? Is it because they have seriously considered the alternatives and prefer GPL, or because they bought into the FUD ("unpaid employee", "your code can be taken away and made proprietary"), or just because the FSF has been successful in positioning the GPL as the "default" license for people who don't bother to care?
I think the whole bitkeeper fiasco has amply demonstrated that Linus is not a trustable authority on software licensing and its political implications.
How did the downtime from the loss of bitkeeper compare to the time gained from moving to a half-decent DVCS before the others were ready?
Linus is unfortunately one of the typically "can't we all just get along" geeks - he doesn't seem to care for the social good so much as being able to continue to work on his projects. Such people are certainly useful - "not seeing the big picture" isn't a barrier to being an effective technical leader (and by pretending such problems/disagreements don't exist or minimising them, they better enable people with substantive differences in the area to work together).
For people who do care about the public good, the best thing to do is to look for other people for inspiration on matters of licenses and large-scale strategy (like rms, BPerens, esr, theo, or one of several others, depending on one's particular inclinations). There's a lot of positions one might take on these matters, most of them better than playing ostrich..
We also should refuse to "play ostrich" about countries currently going through something like the Industrial Revolution, and embargo them until they decide to lift themselves, unassisted, by their own bootstraps, into sufficient prosperity to care about working conditions.
gives the customer the freedom to modify the product as they want, but prohibits them from creating derivative works
Modifying the product is creating a derivative work.
My company is developing some software using Ruby. It's proprietary software â" decidedly not free-as-in-beer â" but I don't want to tie my customers down with the usual prohibitions on reverse engineering, modification, etc. After all, they're licensing the product from us, so I think they should be able to use it as they see fit.
Look into selling them a copy of your software, instead of a license to use a copy of your software. US copyright law does permit people who actually own a copy of software to make certain kinds of modifications (don't recall what exactly), make the needed copies to actually use it (disk -> ram, etc), and such.
Actually, any piece large enough to pose a threat to anything we care about can be tracked, and by what counts as ancient technology: the AN/FPS-85 phased array spacetrack radar, for example.
That can track pieces the size of marbles? The only size reference I see is a basketball at 22000 nm (presumably "nautical miles" instead of "nanometers".).
You know, as much as I like the spirit of net neutrality, I've always found it suspicious that the same./ers who tell the government to "keep out of my internets" are so supportive of giving the government more footholds in regulating the net.
Why? We don't want the government saying what can/can't be done online, and we don't want the ISPs doing that either. The preferred answer to the ISPs would be "vote with your wallet", but this doesn't work because the local governments like selling them monopolies.
forget all about the idiocy, bureaucracy and corruptability of the state
Companies are just as corruptible, and I'd say the big ISPs are more corruptible because (1) they don't have to worry about pissing off the voters too much and (2) its illegal to compete with them.
Who do you think is the most likely destroyer of all the things you like about the Internet 50 years from now... Qwest, or the state?
I'd say the duopoly ISPs that don't have to care about making people like their service, because the local government forbids competition.
The irony is that laws like this will immediately be co-opted by the very ISP's you hate as a means of maintaining their monopoly.
Their monopoly comes purely from the fact that local governments sell them monopolies in the name of not having the streets torn up all the time. Regulating them to be simple dumb pipes would be a good thing, as it would keep this granted monopoly to as narrow an area as possible. (Only granting this kind of power to co-ops would probably be even better, but I don't think that could ever happen.)
Slashdot Mirror
I think a fragmented root is ideal, as long as its clear who you are trusting i would rather have the EU sign off on some, US on others, Russia/china on theirs, there is no need to get everything signed by the US (in fact politically AND technically it is a much worse solution).
Is there some reason they can't just put multiple signatures on the records, so the US, Russia, China, etc, could all sign the entire root if they wanted to?
But you should go to the next obvious step/question: How much will the entities holding the .com and .org keys charge for signing cnn.com, slashdot.org and so on?
Presumably, exactly the same amount they currently charge for those domain names. Isn't the idea to make it the standard, so that whenever you buy a domain name you also get whatever signatures/keys/etc you need to be able to make dnssec work on your domains?
1) If you are using https/ssh/ipsec/openvpn properly, and someone spoofs your dns so you attempt to connect to the wrong server, you will get a warning/error. So what is DNSSEC's added value here?
Or you'll just get an unencrypted page and no error, and only notice if you're actually paying attention.
So someone tell me, what real value does DNSSEC add?
It prevents spoofed DNS responses, even if there is a mitm. This means that you can use DNS for public key distribution (so there's no reason to ever be forced to pay for a "normal" SSL certificate; only the EV ones where they check your real-world identity provide any added value) and probably all sorts of other cool things.
It's not a scam. It would just be plain stupid to accept an SSL certificate that was signed by anyone. Just because a site says "Hi, I'm eBay!" doesn't mean that it is. CAs sign the certificate as "proof" that it is really eBay.
No. It would be stupid to give all the special UI cues for a secure site, with an unverified certificate. SSL with an unverified certificate is approximately as secure as plain http with no encryption, and should be treated the same. (And "signed by any random CA, maybe even a different one than last time" should not be the same as "verified", but that's a different stupidity...)
and I note that you were one of those who said that Vista Capable was right: it COULD run Vista. That it couldn't run *any* version was irrelevant.
Link please? That does not sound like something I'd say (well, unless perhaps I was being sarcastic).
No you don't; you need wine. :-)
Cheers.
Last I heard, Visual Studio doesn't work in wine.
f you think that the commercial CAs are running a racket, you don't need to take part. Really. [...] You only need the CAs when you are communicating with people who don't already know you
So you do have to take part, because the browser makers have decided that self-signed SSL is deserving of error messages due to being somehow less secure than plain http. Therefore making it a "racket" instead of just a "scam".
I don't see why a site requesting a CA needs to be live. Consider FooCA, a for-pay CA that users subscribe to, or that ISPs subscribe to on behalf of their users. (There are other models --- this is just an example). If BarInc wants a certificate from FooCA, BarInc just applies to FooCA as soon as BarInc incorporates and obtains BarInc.com. Why would BarInc.com need to be live at this point?
If FooCA just gives BarInc a cert, how do they extract any sort of payment from the visitors? Once the cert is in the wild, anyone can use it to verify BarInc.com. So FooCA would have to not provide it to anyone until asked (and paid) by one of their customers.
The CA is only involved in issuing the certificate, nobody talks to them per site visit. Having the visitors instead of site owner pay the CA would require changing this, which doesn't seem feasible.
I'd rather have a robust CA system so that nobody has to be in that group of fooled people
It shouldn't be the users getting fooled, just some of the perspectives servers. And since only some of them are fooled, when the user asks all of them they'll get different answers and know that something's up.
I actually think the CA system is much more fragile, since you only have to fool one person once to get an evil cert you can screw anyone with.
Perspectives also adds significant latency to the connection and has other technical problems
It will add latency, but that can probably be limited to the first connection with a scheme like how SSH remembers certs. It also probably has scalability issues and would have privacy issues if anything was ever logged (but not much worse than if say the .com nameservers started logging requests). What other problems do you see?
There are a couple solutions to the incentive problem:
I wish I could come up with better ideas.
Having a CA funded by anyone but the website also doesn't work, since the site needs to get a certificate from the CA before going live. And unless it's ICANN running the CA, a site might need to get certs from multiple CAs if people in different countries or with different browsers want to talk to them.
Hmm, there's a thought. Self-signed certs, with the root cert fingerprint available as a DNS record, using DNSSEC. Then get the real-world identity info from 'whois'.
Or use something based on "can't fool all of the people all of the time" like Perspectives (see sig), where instead of having a CA that gives the site owner a certificate, there are a bunch of public servers that you ask whether they see the same key you see for whatever site you're going to.
So consider the only substantive reason given in the IWF's response, which is that notifying the host "may undermine a police investigation." This could hypothetically be true in some cases â" if police are preparing to move in on a suspected child pornographer, but he finds out that his ISP has removed content from his account after a notification from the IWF, he might know that he's about to be caught, and delete any incriminating pictures from his hard drive.
Doesn't this only really make sense if there's some connection between the police investigation and being put on the list?
Imagine if nobody was allowed to tell anybody "hey, I think what you're doing might be illegal". Because of course there's a chance that it really is illegal and that the police are investigating, and if the person told this decided "hey, you're right, I guess I'll stop", well, you've just interfered and prevented the investigation from succeeding.
Maybe they just care more about persecuting people than they do about reducing unlawfulness...
That's not what entanglement is. It's knowing "this is currently the same as that" or "this is currently the opposite of that" without knowing what "this" or "that" actually is. There is no "connection" or "influence", just a relation that says knowing what "this" is tells you about what "that" is (until it gets changed by interacting with the environment).
IANAS (Scientist) but I believe it has something to do with the prevalent carbon dating method relying on a form of circular logic: the age of a soil strata is based off of how old the object in it is, and the object is dated by which strata type it is in.
There's also the fact that it relies on the level of radioactive carbon in a piece of organic material. This is flawed, because carbon/CO2 in our atmosphere has varied in amount through time and by location.
Wikipedia tells me that radiocarbon dating is only good back to about 60k years, and that it is very well calibrated back to 26k years by checking against tree rings and similar.
Unfortunately that seems to be the way of a lot of science today. Carbon dating is another minefield that comes to mind.
How so?
Aside from all that, I just love tormenting Ruby fanatics. They're as defensive and strident as any C geek, though, unlike the C geeks, Ruby/Rails people can't point to any performance increases to justify their fanaticism.
I thought that basically their entire argument was that they can (supposedly) increase programmer performance by some huge amount.
What the fuck is this shit? Seriously.
No, really. Does anyone sane actually think this would have even the tiniest chance of working?
I do not believe (but of course IANAL) that you can use GPL v3 code in iPhone applications, as they have to be DRM signed by Apple. However, you can make GPL v2 applications for the iPhone.
I'm pretty sure that only applies to software that's bundled with the hardware. So Apple / AT&T can't sell iPhones with GPLv3 software preloaded, but putting GPLv3 programs in the app store should be OK.
(This is of course discriminatory and non-free, but nobody seems to care about that.)
but in volume it seems pretty clear to me that people start GPL projects
Why? Is it because they have seriously considered the alternatives and prefer GPL, or because they bought into the FUD ("unpaid employee", "your code can be taken away and made proprietary"), or just because the FSF has been successful in positioning the GPL as the "default" license for people who don't bother to care?
These new forces being applied to what is an extremely efficient ecosystem of code sharing will completely break apart open source as we know it.
Can't happen. Any movement in that direction would very quickly result in the instigators being widely ignored, regardless of their (prior) status.
I think the whole bitkeeper fiasco has amply demonstrated that Linus is not a trustable authority on software licensing and its political implications.
How did the downtime from the loss of bitkeeper compare to the time gained from moving to a half-decent DVCS before the others were ready?
Linus is unfortunately one of the typically "can't we all just get along" geeks - he doesn't seem to care for the social good so much as being able to continue to work on his projects. Such people are certainly useful - "not seeing the big picture" isn't a barrier to being an effective technical leader (and by pretending such problems/disagreements don't exist or minimising them, they better enable people with substantive differences in the area to work together).
For people who do care about the public good, the best thing to do is to look for other people for inspiration on matters of licenses and large-scale strategy (like rms, BPerens, esr, theo, or one of several others, depending on one's particular inclinations). There's a lot of positions one might take on these matters, most of them better than playing ostrich..
We also should refuse to "play ostrich" about countries currently going through something like the Industrial Revolution, and embargo them until they decide to lift themselves, unassisted, by their own bootstraps, into sufficient prosperity to care about working conditions.
Yeah, it's stupid, but this is no different.
gives the customer the freedom to modify the product as they want, but prohibits them from creating derivative works
Modifying the product is creating a derivative work.
My company is developing some software using Ruby. It's proprietary software â" decidedly not free-as-in-beer â" but I don't want to tie my customers down with the usual prohibitions on reverse engineering, modification, etc. After all, they're licensing the product from us, so I think they should be able to use it as they see fit.
Look into selling them a copy of your software, instead of a license to use a copy of your software. US copyright law does permit people who actually own a copy of software to make certain kinds of modifications (don't recall what exactly), make the needed copies to actually use it (disk -> ram, etc), and such.
And a third motorcade with no cars in it?
Actually, any piece large enough to pose a threat to anything we care about can be tracked, and by what counts as ancient technology: the AN/FPS-85 phased array spacetrack radar, for example.
That can track pieces the size of marbles? The only size reference I see is a basketball at 22000 nm (presumably "nautical miles" instead of "nanometers".).
-There are no instances of this actually happening.
Except for (among others) the one the FCC is investigating Comcast for?
You know, as much as I like the spirit of net neutrality, I've always found it suspicious that the same ./ers who tell the government to "keep out of my internets" are so supportive of giving the government more footholds in regulating the net.
Why? We don't want the government saying what can/can't be done online, and we don't want the ISPs doing that either. The preferred answer to the ISPs would be "vote with your wallet", but this doesn't work because the local governments like selling them monopolies.
forget all about the idiocy, bureaucracy and corruptability of the state
Companies are just as corruptible, and I'd say the big ISPs are more corruptible because (1) they don't have to worry about pissing off the voters too much and (2) its illegal to compete with them.
Who do you think is the most likely destroyer of all the things you like about the Internet 50 years from now... Qwest, or the state?
I'd say the duopoly ISPs that don't have to care about making people like their service, because the local government forbids competition.
The irony is that laws like this will immediately be co-opted by the very ISP's you hate as a means of maintaining their monopoly.
Their monopoly comes purely from the fact that local governments sell them monopolies in the name of not having the streets torn up all the time. Regulating them to be simple dumb pipes would be a good thing, as it would keep this granted monopoly to as narrow an area as possible. (Only granting this kind of power to co-ops would probably be even better, but I don't think that could ever happen.)