Re: [saag] [pkix] fyi: CA/Browser Forum (CABF) reform deliberations + Revocation and TLS/SSL Replacements/Enhancements
Phillip Hallam-Baker <hallam@gmail.com> Thu, 17 May 2012 06:38 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5216721F85CD; Wed, 16 May 2012 23:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.562
X-Spam-Level:
X-Spam-Status: No, score=-3.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Heuw1u2wPDu; Wed, 16 May 2012 23:38:33 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id B814C21F85BE; Wed, 16 May 2012 23:38:32 -0700 (PDT)
Received: by obbeh20 with SMTP id eh20so2524219obb.31 for <multiple recipients>; Wed, 16 May 2012 23:38:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u8/sCIPi5QuW+yTnfU2NSAXtM9YjFLDh+jiQV2igsmc=; b=syhdvgUVRL0Fv41+jDfyzsesi530upPhs3KG8fkCy6EdYoe4cIDFfFvVZbDLWZ+ut1 WICfvd4HvalTXHN9i4RnAetXY6ZnM/QdWMeO+LJ7Nuh4wqLTu5vfexZ2S+qh7s4Tz9SD noYApyUuBqy1+l95izsVkZsaqXqXspP7Iw5luSmhlH0vuEdhdbyengLDLzqwrIL2Iofh vR3/BrwhcTo9+Y7YljngBV9R4BTdH8u+NIN/T1mZFPIxU5cOHE85p8weEHwCCpxeHlbU 5fnCG1YUJYT2JsS+1pkk1oWOIx+OCFDBzziqCnS1P3A+sRsrDDa12jhA8CNkCVxcU2ZD ZFAA==
MIME-Version: 1.0
Received: by 10.182.245.17 with SMTP id xk17mr5310676obc.66.1337236712316; Wed, 16 May 2012 23:38:32 -0700 (PDT)
Received: by 10.182.227.34 with HTTP; Wed, 16 May 2012 23:38:32 -0700 (PDT)
In-Reply-To: <CAG5KPzwGNRt1-yWnaKvfyOOw8viSzzfwo7pqjD2NA4Mnk0mPWg@mail.gmail.com>
References: <4F72C59A.90900@KingsMountain.com> <CAG5KPzwGNRt1-yWnaKvfyOOw8viSzzfwo7pqjD2NA4Mnk0mPWg@mail.gmail.com>
Date: Thu, 17 May 2012 16:38:32 +1000
Message-ID: <CAMm+Lwhd7mB4W42YS3GUQprRxZScpiXntG0RJn_anvx3+hQ39Q@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <ben@links.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: IETF PKIX WG <pkix@ietf.org>, IETF Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] [pkix] fyi: CA/Browser Forum (CABF) reform deliberations + Revocation and TLS/SSL Replacements/Enhancements
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2012 06:38:34 -0000
SK is a TTP system as the notaries are still trusted to provide availability even if the other aspects of operation are cryptographically constrained against default. A group of notaries could collude to establish a cartel and extract functional pricing for their services if there was a sufficiently large number of relying parties. Alternatively they can simply publish a key for party X and then ransom it to the legitimate owner of the domain. SK is a silly, silly scheme that should be laughed off the stage. It punts on all the hard problems of PKI by asserting an administrative model that is ludicrous. 'google.com' must be worth a couple of billion dollars at least. I cannot see anyone with a valuable domain name risking it to a scheme that has revocation mechanism in case of administrative error. 'Don't make mistakes' is not a viable administrative approach. On Wed, Mar 28, 2012 at 6:10 PM, Ben Laurie <ben@links.org> wrote: > > > On Wed, Mar 28, 2012 at 8:02 AM, =JeffH <Jeff.Hodges@kingsmountain.com> > wrote: >> >> The CA/Browser Forum (CABF) was mentioned a few times during this very >> interesting presentation in the PKIX session at IETF-83 Paris yesterday... >> >> Trust-Related Activities: >> Internet Certification Authorities >> Revocation and SSL Replacements/Enhancements >> https://www.ietf.org/proceedings/83/slides/slides-83-pkix-10.pdf > > > Hmmm... > > a) Doesn't mention Certificate Transparency. > > b) Thinks Sovereign Keys (and presumably, had they mentioned it, CT) is a > TTP, which is incorrect. > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > -- Website: http://hallambaker.com/