IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Jon Callas <jon@callas.org> Sat, 03 November 2012 00:58 UTC

Return-Path: <jon@callas.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC671F0C92 for <therightkey@ietfa.amsl.com>; Fri, 2 Nov 2012 17:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgBRyv0Cctaq for <therightkey@ietfa.amsl.com>; Fri, 2 Nov 2012 17:58:00 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id 380A01F0C5F for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:58:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id BE9FD12AD3E8 for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfTl0G-Fuybz for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:57:59 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 0BE6F12AD3DD for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:57:59 -0700 (PDT)
Received: from [10.0.23.14] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Fri, 02 Nov 2012 17:57:59 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Fri, 02 Nov 2012 17:57:59 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org>
Date: Fri, 02 Nov 2012 17:57:58 -0700
Message-Id: <58705F8D-28D3-48F2-8D05-E04363259AE9@callas.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <70E51AD3-D937-416E-8F3C-60B6156190DC@vpnc.org> <CAMm+LwgSrwBO=cD5zQ5G1PG0YyC7gvG7cWGqhL1KhPectG6Y+w@mail.gmail.com> <DDDF8726-F491-46AB-9A4A-AFB99006A393@vpnc.org> <42F98BCB-17F8-427E-8E9D-33A04978A339@vpnc.org> <CAMm+LwihwHFYcAkJvjRe7Js9AJkS8s6ZooxJnE526UOsWHGCuw@mail.gmail.com> <A09B4DFF-936C-488C-9915-B5F9A579FA1F@vpnc.org> <CABrd9STFeAxxmFDCZMkREXyEcKbeeQbF8ZeESXcoKPnkckdZwQ@mail.gmail.com> <CAMm+Lwg6EoSy-p7US0uZtKjxGHF39iH-0mvxg-hJ+AqK4vXL-A@mail.gmail.com> <CABrd9SRa9Ye9gkjpaQ+PqQyay9NKJB__dkDwOBwPHvw16dkTRg@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <CABrd9S! R4y5nRm-AP6t5_HzUO+CROwh+KnVn48_9hMTFQ4A93=Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org>
To: "therightkey@ietf.org" <therightkey@ietf.org>
X-Mailer: Apple Mail (2.1499)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2012 00:58:01 -0000

On Nov 1, 2012, at 8:14 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> As someone who has to trust every CA in the root pile in my browsers and OSs, I find it frightening that a CA who can say "this is your bank's certificate" cannot handle new requirements for how to say that. If adopting a simple protocol like this causes an ossified CA too many problems, maybe I don't trust that CA to be able to issue certificates for my bank, much less to be able to know which certificates that they are actually issuing.

I'm mostly with Paul on this. I think that a CA that doesn't see CT as an incredible boon to be ossified to say the least. I'd add that this can be something the market solves -- move your business to one that gets it.

I can't say enough good things about CT because I think it lets everyone win without being the TSA of the Internet. I can go on, but really, CT is almost all upside. The only real downside is that it puts stresses on genuinely private PKIs, but it's only a stress, and arguably the few of those that really exist can opt out. Ben has pointed out that the same sorts of problems that CT would put on such things are induced by the SSL Observatory and similar efforts.

	Jon

v2.23.0 | Report a Bug | By Email