Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Jacob Appelbaum <jacob@appelbaum.net> Wed, 01 January 2014 18:27 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57EAC1AE8DC for <therightkey@ietfa.amsl.com>; Wed, 1 Jan 2014 10:27:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.099
X-Spam-Level: **
X-Spam-Status: No, score=2.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FSL_HELO_BARE_IP_2=1.999, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eue6hNF8FZ-y for <therightkey@ietfa.amsl.com>; Wed, 1 Jan 2014 10:27:46 -0800 (PST)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by ietfa.amsl.com (Postfix) with ESMTP id 573541AE8E1 for <therightkey@ietf.org>; Wed, 1 Jan 2014 10:27:44 -0800 (PST)
Received: by mail-ee0-f54.google.com with SMTP id e51so5149747eek.27 for <therightkey@ietf.org>; Wed, 01 Jan 2014 10:27:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:mime-version:to:cc:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=XGSsAHGMZLizKaFuUzt5HUuM/GRznWLaPI1lTnC5JMA=; b=D0uTVt8gkyrTJExX9XyrvtoZQQuR7gPAZsq1X0e+jyjgd2OowYkPX0NbEzIyEglhgR /Saf2sRYV6ebBU3n8ddKqROvEYD8Hv6DXUEW6+r8egk37LtpnsTy4eVmlVbx0RcoI99L w4XkIlzGzM+DGojOh466tQUfuRZN6k9cec+tVXVEB0uwrg95ZxCKH6DEk5xnIDRjF5m3 djdVe4NZ5PY/Yu7l+SUdWrclX8SO1knGoJLceBnacVAZVtXiYHR7CNHVRPwaydyjgGF7 I+oP0c0lZ5AV4kR9j1LzARULUR68QMIXzCGcdASub8+coYB14tjjRp/rz2x7sToq6FfE G50w==
X-Gm-Message-State: ALoCoQljVgT91aoCp/8W64vVmVSM+bsRoJJlATrlzm7d0GpykxQfpJ7SqVO9Z3f+OI5nM5SfSqHB
X-Received: by 10.14.119.1 with SMTP id m1mr12166203eeh.39.1388600857048; Wed, 01 Jan 2014 10:27:37 -0800 (PST)
Received: from 127.0.0.1 (tor.pm-ib.de. [83.133.106.73]) by mx.google.com with ESMTPSA id e43sm129151225eep.7.2014.01.01.10.27.32 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 01 Jan 2014 10:27:35 -0800 (PST)
Message-ID: <52C45CDC.5020608@appelbaum.net>
Date: Wed, 01 Jan 2014 18:22:20 +0000
From: Jacob Appelbaum <jacob@appelbaum.net>
MIME-Version: 1.0
To: Rob Stradling <rob.stradling@comodo.com>
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com>
In-Reply-To: <52C2D54F.8000209@comodo.com>
OpenPGP: id=4193A197
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: therightkey@ietf.org, Seth David Schoen <schoen@eff.org>
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jan 2014 18:27:47 -0000

Rob Stradling:
> On 23/12/13 18:29, Jacob Appelbaum wrote:
>> Phillip Hallam-Baker:
> <snip>
>>> You can't calculate the number of CAs the way the EFF tried to. An
>>> intermediate certificate does not equate to a CA. Pretending it does to
>>> peddle an alternative PKI scheme calls into question their veracity.
>>
>> I disagree strongly. I have an intermediate certificate. I am as
>> powerful CA as a result.
> 
> Jake, you're only that powerful if you control the intermediate private
> key.

I do control the private key for the aforementioned intermediate
certificate[0] authority. :)

... and I'm not the only one, obviously.

Happy new year,
Jake

[0] http://www.win.tue.nl/hashclash/rogue-ca/