Re: Quic: the elephant in the room

Phillip Hallam-Baker <> Sun, 11 April 2021 22:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6981A3A2224 for <>; Sun, 11 Apr 2021 15:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LPqtdsXtaeai for <>; Sun, 11 Apr 2021 15:52:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CEFB53A2221 for <>; Sun, 11 Apr 2021 15:52:31 -0700 (PDT)
Received: by with SMTP id 65so12986962ybc.4 for <>; Sun, 11 Apr 2021 15:52:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ADSXPlxFB6idh6XdvVXI95U/bPArtT2/DkpgWBgR+vk=; b=lyM7pofrYnlpVxAfyw1/N0qAD1Foohl2XM2LgTIDLrrNy1DTDc1Qm4sgO226GniBy7 YmLbMHsMQllPS9bXwKd6fvPPQooftSN9x++zSDW1DZxcmtFl3gg6rh9ltDH2nebTvAA/ BQc5oB30hXFy0pbaGnnhVi7paEOo1tY+Uq3LB5UzQiNOCD/ca/UtIHvmUBQaKrgZjP5S d8rsQJbJjuCgrsWVH4a3K7yvPiWJ5xSR+xZBsDiJ9rnEcdNdRUfoTCCsnaWlaXLm3h0j 4vZ0IgmYgIq3xDQ0pfLUBKSg8J7fY2VzQIfyOm+j3RXiYWvRtceVMvtCRskr8ViVhy62 tq+g==
X-Gm-Message-State: AOAM532TMMiwy98eDf/H0xbZf7aRyDSotmlZ3TVlipRhL/ijAfbWGSyo hL/rK5/dygZ6oDG64Dae0xkb4PKYcCHMfVUpq9iGMpgfynE=
X-Google-Smtp-Source: ABdhPJz4OAV7UvsvxBkSUtMWC7xAveFK3yOrm4W9Wszr+lNY0Q5V6KwugUaXaMiv5EPGQhtBK/rUyGMnPsnLz/cZNys=
X-Received: by 2002:a5b:48c:: with SMTP id n12mr34260451ybp.273.1618181550367; Sun, 11 Apr 2021 15:52:30 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Sun, 11 Apr 2021 18:52:20 -0400
Message-ID: <>
Subject: Re: Quic: the elephant in the room
To: IETF Discussion Mailing List <>
Content-Type: multipart/alternative; boundary="0000000000007de73105bfba4076"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Apr 2021 22:52:33 -0000

Since people continue to debate the CA vs DNS Registrar thing, I will just
point out that we haven't had a case where an outright criminal operation
has set up as a CA. In the DNS space we have had fully accredited
registrars that have been just that.

Also, the WebPKI is not designed to provide confidentiality or even
authenticate the parties. It is designed to make electronic commerce
possible in an open network by establishing accountability. Back in 1995,
export crypto was limited to 40 bits. People seem to forget that.

If people have a limited understanding of what the WebPKI is designed to do
and ignore all the parts that don't meet their expectations, well of course
they will end up assuming something else could do the same. But that
doesn't make it true.

I have never seen much if any value to domain validated certs at all. Just
use raw keys or self signed certs and you will get pretty much the same
benefit. I suggested Web browsers stop giving out the silly WARNING THIS
CONNECTION IS SECURED BUT NOT ENOUGH messages back in the 1990s. If a
browser is going to accept an entirely insecure connection, it should not
complain when something better is offered, but it shouldn't show a padlock
icon either.

The WebPKI is all about accountability through incorporation credentials.
That is why we never suggested it as the basis for DKIM technology. If
there was going to be a PKI backing up DKIM it would be advising sender