IETF Logo Mail Archive

Re: [certid] Please explicitly disallow unvetted info in subject

Nelson B Bolyard <nelson@bolyard.me> Thu, 10 June 2010 19:48 UTC

Return-Path: <nelson@bolyard.me>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72F8828C149 for <certid@core3.amsl.com>; Thu, 10 Jun 2010 12:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9A49XfOVWpd for <certid@core3.amsl.com>; Thu, 10 Jun 2010 12:48:48 -0700 (PDT)
Received: from p3plsmtpa01-10.prod.phx3.secureserver.net (p3plsmtpa01-10.prod.phx3.secureserver.net [72.167.82.90]) by core3.amsl.com (Postfix) with SMTP id 7BF833A6359 for <certid@ietf.org>; Thu, 10 Jun 2010 12:48:48 -0700 (PDT)
Received: (qmail 21092 invoked from network); 10 Jun 2010 19:48:49 -0000
Received: from unknown (24.5.142.42) by p3plsmtpa01-10.prod.phx3.secureserver.net (72.167.82.90) with ESMTP; 10 Jun 2010 19:48:49 -0000
Message-ID: <4C11421B.1090209@bolyard.me>
Date: Thu, 10 Jun 2010 12:50:51 -0700
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: certid@ietf.org
References: <201006101745.o5AHjn7N022071@fs4113.wdf.sap.corp>
In-Reply-To: <201006101745.o5AHjn7N022071@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [certid] Please explicitly disallow unvetted info in subject
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 19:48:49 -0000

On 2010-06-10 10:45 PDT, Martin Rex wrote:
> Nelson B Bolyard wrote:
>>> CAs vouch and are liable for every single bit in the ToBeSigned part
>>> of a certificate, no matter what stupid things they claim in any weird
>>> and ineffective "certificate practice statement" (CPS).
>> I think you'll find that lots of lawyers disagree.  To the contrary, they
>> would claim that the expectation that CAs do anything other than what their
>> CPSes say is the stupid part.  In most jurisdictions, there's no law that
>> says what CAs must do, so CAs are bound by contract, and the contracts all
>> cite the CPSes.
> 
> It is the CAs who asked the browser vendors to ship their certs
> preconfigured as trusted!

Yes, the browser vendors review the CPSes and determine whether those CPSes
meet their minimum requirements or not.  Presently the browsers (well, some
of the browsers) do not display the values of the attributes that are known
not to be vetted by numerous CAs in the main site identity display.  (Those
attributes may be displayed if the user brings up a dialog that views the
entire certificate).

> How many "certificate practice statements" (CPS) have you had to click
> through before your browser allowed you to establish a TLS-protected
> communication?
> 
> For every user, where the count is "none", there is _no_ CPS in effect.

You're welcome to that opinion.

v2.8.7 | Report a Bug | By Email