IETF Logo Mail Archive

Re: [keyassure] publishing the public key

John Gilmore <gnu@toad.com> Tue, 15 February 2011 21:57 UTC

Return-Path: <gnu@toad.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B6333A6AFF for <keyassure@core3.amsl.com>; Tue, 15 Feb 2011 13:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.412
X-Spam-Level:
X-Spam-Status: No, score=0.412 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_NJABL_RELAY=2.696, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rGtIgDlKqN5v for <keyassure@core3.amsl.com>; Tue, 15 Feb 2011 13:57:54 -0800 (PST)
Received: from new.toad.com (new.toad.com [209.237.225.253]) by core3.amsl.com (Postfix) with ESMTP id D22BD3A6AB9 for <keyassure@ietf.org>; Tue, 15 Feb 2011 13:57:54 -0800 (PST)
Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id p1FLwFiR027918; Tue, 15 Feb 2011 13:58:15 -0800
Message-Id: <201102152158.p1FLwFiR027918@new.toad.com>
To: Henry Story <henry.story@bblfish.net>
In-reply-to: <4487480D-900D-4416-8437-583693908163@bblfish.net>
References: <201102141829.p1EITKHc009151@fs4113.wdf.sap.corp> <4487480D-900D-4416-8437-583693908163@bblfish.net>
Comments: In-reply-to Henry Story <henry.story@bblfish.net> message dated "Mon, 14 Feb 2011 20:07:04 +0100."
Date: Tue, 15 Feb 2011 13:58:15 -0800
From: John Gilmore <gnu@toad.com>
Cc: keyassure@ietf.org
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2011 21:57:55 -0000

>    I can't remember if in their presentation they tell us how many valid self
> signed certs they found out there...

According to Chris Palmer of EFF, the SSL Observatory found 7 million
self-signed certs (and 4.3 million with other certs).  But none of the
self-signed certs were considered "valid self-signed certs" because
the definition of "valid" was "with a valid signature chain, according
to at least one browser", and of course browsers consider self-signed
certs invalid.

It appears that securing your web site with crypto is about three
times as popular as obtaining a certificate from a certifying
authority.

So, providing a simple way in DNS for those 7 million web
administrators to securely anchor their website's public keys to their
domain names, without dealing with a certificate authority, would
provide significant benefits to literally millions of people.

	John Gilmore

v2.23.0 | Report a Bug | By Email