IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Phillip Hallam-Baker <hallam@gmail.com> Thu, 01 November 2012 16:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1ECB21F8E2C for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 09:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcvSW-55qwqk for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 09:29:32 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC2921F8A50 for <therightkey@ietf.org>; Thu, 1 Nov 2012 09:29:32 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id v19so2941954obq.31 for <therightkey@ietf.org>; Thu, 01 Nov 2012 09:29:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=p2VEFpfrKsqbwWH/eyk9EP60zeVeHHgafhL31TV/OR0=; b=dTSRp64pRpbQli1S+D79cl0dV1w4T5l48svDtc2cV4vlyC2OObwULjB3ESrctTCTMc +PdF/LCRxIRJ+O46Ms7osTExIbWP9mQUrGrFaFnqV6zhl8EhXeUrqGHWeADD1pNGQlyL f52p7EFub9RKe6unayhlF99u2+4AOfEpAPt98aP+4ad4vdstBMGDo9KQUEkT6vlA9WUA 7jPv9AdLdhuPP0d2UaEeXVdGFjybAi1DPhbg0ug5HyceQotecRc3cyEDu3FgTMwp/FQk jKmCCXdVSUz6VYMw9mX+HvrWxtj+sZS9AbFVB4U8jFWWcuRJvp21vfWyzByOK0dbELg8 pOiA==
MIME-Version: 1.0
Received: by 10.182.145.35 with SMTP id sr3mr33263457obb.98.1351787371836; Thu, 01 Nov 2012 09:29:31 -0700 (PDT)
Received: by 10.76.27.103 with HTTP; Thu, 1 Nov 2012 09:29:31 -0700 (PDT)
In-Reply-To: <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <70E51AD3-D937-416E-8F3C-60B6156190DC@vpnc.org> <CAMm+LwgSrwBO=cD5zQ5G1PG0YyC7gvG7cWGqhL1KhPectG6Y+w@mail.gmail.com> <DDDF8726-F491-46AB-9A4A-AFB99006A393@vpnc.org> <42F98BCB-17F8-427E-8E9D-33A04978A339@vpnc.org> <CAMm+LwihwHFYcAkJvjRe7Js9AJkS8s6ZooxJnE526UOsWHGCuw@mail.gmail.com> <A09B4DFF-936C-488C-9915-B5F9A579FA1F@vpnc.org> <CABrd9STFeAxxmFDCZMkREXyEcKbeeQbF8ZeESXcoKPnkckdZwQ@mail.gmail.com> <CAMm+Lwg6EoSy-p7US0uZtKjxGHF39iH-0mvxg-hJ+AqK4vXL-A@mail.gmail.com> <CABrd9SRa9Ye9gkjpaQ+PqQyay9NKJB__dkDwOBwPHvw16dkTRg@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org>
Date: Thu, 01 Nov 2012 12:29:31 -0400
Message-ID: <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="f46d044630781c335e04cd7186be"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 16:29:37 -0000

This is about barely capable sysadmins.

Different problem.


On Thu, Nov 1, 2012 at 11:14 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On Nov 1, 2012, at 2:10 AM, Ben Laurie <benl@google.com> wrote:
>
> > Its only software. The process of participating in CT for a server
> operator is:
> >
> > 1. Run command line tool once, giving it your certificate as input and
> > an SCT file as output.
> >
> > 2. Add one line of configuration to your server config.
> >
> > Not exactly rocket science. If people _really_ find it hard, we could
> > build it into the servers so there was no manual step at all.
>
> As someone who has to trust every CA in the root pile in my browsers and
> OSs, I find it frightening that a CA who can say "this is your bank's
> certificate" cannot handle new requirements for how to say that. If
> adopting a simple protocol like this causes an ossified CA too many
> problems, maybe I don't trust that CA to be able to issue certificates for
> my bank, much less to be able to know which certificates that they are
> actually issuing.
>
> --Paul Hoffman
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email