Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Rob Stradling <rob.stradling@comodo.com> Mon, 16 December 2013 15:06 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855071AE02F for <therightkey@ietfa.amsl.com>; Mon, 16 Dec 2013 07:06:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.29
X-Spam-Level:
X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfsVScBLERDa for <therightkey@ietfa.amsl.com>; Mon, 16 Dec 2013 07:06:11 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 301641AE01E for <therightkey@ietf.org>; Mon, 16 Dec 2013 07:06:10 -0800 (PST)
Received: (qmail 28039 invoked by uid 1000); 16 Dec 2013 15:06:09 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Mon, 16 Dec 2013 15:06:09 +0000
Message-ID: <52AF16E0.80108@comodo.com>
Date: Mon, 16 Dec 2013 15:06:08 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>, Leif Johansson <leifj@mnt.se>
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <D0008C27-16EE-41F9-954E-CA51536CD1F0@mnt.se> <CAMm+Lwh-vfvmPaRLQC-9cRyWgUaPmh77KzQU5afBaDc-jCNuEg@mail.gmail.com>
In-Reply-To: <CAMm+Lwh-vfvmPaRLQC-9cRyWgUaPmh77KzQU5afBaDc-jCNuEg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Tao Effect <contact@taoeffect.com>
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2013 15:06:14 -0000

On 16/12/13 14:31, Phillip Hallam-Baker wrote:
<snip>
> That does not excuse
>
> 1) Failing to examine the issue when the DFN root accounted for half of
> the purported '600 CAs'
>
> 2) Continuing to count the DFN as 300 CAs when they know it is one.
>
> Putting out sloppy research and then failing to correct it when a
> mistake is committed is the problem. If someone publishes a flawed study
> I expect them to withdraw it when the errors are pointed out. I don't
> expect them to say that they are going to continue to publish a number
> they know is out by a factor of at least 2 because getting a correct
> number would be too much work.

FWIW, I suggested to Mozilla a few months ago that they could survey the 
CAs in order to find out the correct number (or, at least, a rather more 
accurate approximation!)

They seemed interested.

The conversation was somewhere in the middle of this thread...
http://mozilla.6506.n7.nabble.com/SSL-TLS-and-HTTPS-in-a-Post-Prism-Era-td294842.html

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online