IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 01 November 2012 20:34 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D9221F9497 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:34:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjaVqJSuvsVl for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:34:02 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5CF21F8B10 for <therightkey@ietf.org>; Thu, 1 Nov 2012 13:34:02 -0700 (PDT)
Received: from sn84.proper.com (sn84.proper.com [75.101.18.84]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id qA1KXx7G003287 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <therightkey@ietf.org>; Thu, 1 Nov 2012 13:34:00 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <5092D4C1.2000701@comodo.com>
Date: Thu, 01 Nov 2012 13:33:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9902D0A-F450-4A16-90FC-9161945489D2@vpnc.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD! 62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <59E2ABDF-EF90-4BBF-BC45-048BF4C2B848@vpnc.org> <5092C4F7.106! 0908@comodo.com> <B02347BF-059C-40B1-AD2E-572EBFFD3869@vpnc.org> <5! 092D4C1.2000701@comodo.com>
To: "therightkey@ietf.org" <therightkey@ietf.org>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 20:34:03 -0000

On Nov 1, 2012, at 1:00 PM, Rob Stradling <rob.stradling@comodo.com> wrote:

> If by "actively participating" you mean that the CA has embedded the CT proof in the cert, then yes, there is no requirement on the bank.

That's one definition of "actively participating", but there are others, such as publishing a list that the auditors pick up.

> If the CA instead embeds the CT proof in OCSP Responses relating to the cert, then there is no requirement on the bank apart from to use OCSP Stapling.

This confuses me. If the CA is putting the CT proof in its OCSP responses, why does the bank have to do anything?

> If the CA is not participating in either of these 2 ways, then there is a requirement on the bank (aka the "server operator"), which may or may not be rocket science, depending on your opinion.

If the CA is not participating, why should that CA be in the trust pile of software that relies on CT?

--Paul Hoffman

v2.23.0 | Report a Bug | By Email