Re: not really pgp signing in van

"John R Levine" <johnl@taugh.com> Tue, 10 September 2013 21:47 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53E9B11E8152 for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 14:47:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KZBChKSGobB for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 14:47:57 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA8411E8137 for <ietf@ietf.org>; Tue, 10 Sep 2013 14:47:56 -0700 (PDT)
Received: (qmail 42380 invoked from network); 10 Sep 2013 21:47:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=a58b.522f938c.k1309; bh=mS5fheEF+YamebVqKb9SK4kgtdZG+BzSR5z/Zk/aDrQ=; b=hPKtQqP2JT0qkQQebwd6vNcrR+IkhwGvX4PAuNuhzbUoBgiiNddqcuIJu/kUf+EbknRFTu2sZlg0rGkY0q0RdbN1CoIkHrUW7CtCinKo2Hh9qgjV8lxElzULpxcf4ll6We+erNZuy7g5Rk3lLE2IjLoDO7ATfn5ybQI6MNUskUEyysK36gTt972K5TOj7FvtHr+bYqS9dL0WPUr6GSKUfkhfe1UKRcB1d9pqQtng+bDgGQ68j13NYBAy4H/RtSEH
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=a58b.522f938c.k1309; bh=mS5fheEF+YamebVqKb9SK4kgtdZG+BzSR5z/Zk/aDrQ=; b=MWN2zyf56Z7ObgoDcixbihVUhfwnOn6nap1dsafSPOMEfCvdECWfbavO8NJPwj9xI7jUn6ZeNPQYAhOOk5b2y+hG3e1J+FbdVTXeJNOHURiCvng9KLEIY9FVVtDz/r0UwCMmEVATxeDNiDklX7ntMPsyDGDWqWsobdXwCPN4NYlYtCFQihNpIk3TxjTUoV6ai+CZ2UslYfSwtq+ZvD61bq3IkNjh5eyEpW8uR9c8OpZPFDol9mCRhy1zawR2stlK
Received: (ofmipd 127.0.0.1); 10 Sep 2013 21:47:34 -0000
Date: Tue, 10 Sep 2013 17:47:55 -0400
Message-ID: <alpine.BSF.2.00.1309101745410.46654@joyce.lan>
From: John R Levine <johnl@taugh.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: not really pgp signing in van
In-Reply-To: <E2ECE63C-D8E4-4A5A-BEA3-295C027D0E71@nominum.com>
References: <20130910010719.33978.qmail@joyce.lan> <8D23D4052ABE7A4490E77B1A012B63077527E234@mbx-01.win.nominum.com> <alpine.BSF.2.00.1309092125360.34090@joyce.lan> <8D23D4052ABE7A4490E77B1A012B63077527E488@mbx-01.win.nominum.com> <CAMm+LwhZ9OKesZW+kFct5Gps6_JBzcNUUBQ-y5J21zMcxmL6EQ@mail.gmail.com> <241D1DD6-C096-49D6-A05B-33638846BF15@nominum.com> <CAMm+LwhhUzDX=AaJXSCkqJofHQ9ZiN11GmCw-reO0OPmNC4fyA@mail.gmail.com> <E2ECE63C-D8E4-4A5A-BEA3-295C027D0E71@nominum.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: MULTIPART/signed; protocol="application/pkcs7-signature"; micalg="sha1"; BOUNDARY="3825401791-240399118-1378849676=:46654"
Cc: "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 21:47:58 -0000

>> You go to a Web page that has the HTML or Javascript control for generating a keypair. But the keypair is generated on the end user's computer.
>
> So I run Javascript provided by Comodo to generate the key pair.   This means that my security depends on my willingness and ability to read possibly obfuscated Javascript to make sure that it only uploads the public half of the key pair.

I think we're entering the tinfoil zone here.  Comodo is one of the 
largest CAs around, with their entire income depending on people paying 
them to sign web and code certs because they are seen as trustworthy.

How likely is it that they would risk their reputation and hence their 
entire business by screwing around with free promo S/MIME certs?

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.