Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Leif Johansson <leifj@mnt.se> Mon, 16 December 2013 06:32 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD1A1AE2B6 for <therightkey@ietfa.amsl.com>; Sun, 15 Dec 2013 22:32:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGXcOfx2w3Bg for <therightkey@ietfa.amsl.com>; Sun, 15 Dec 2013 22:32:28 -0800 (PST)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 74AAE1AE114 for <therightkey@ietf.org>; Sun, 15 Dec 2013 22:32:28 -0800 (PST)
Received: by mail-lb0-f172.google.com with SMTP id x18so676600lbi.3 for <therightkey@ietf.org>; Sun, 15 Dec 2013 22:32:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=WofJZrd5zWmLTsaUtAuMKTtZ7xUTNodYQRfNMyRK/w4=; b=dVN/8X80QpSwDUeDA/p3bZARX8ID0JpK6hXVNFtnqNUeGGAy29woR3xMFlDMaVIZdL F09okImIpFg7sPsQccXfk5Izls9GgQ5ac1nOTD0H0EQhGhK6pA8Tq3xYibE1JfK0OeQv HsNmUUoZ8EAtl3kTAQr5xj+cY1RPg2pmQMm0wY/oLk4SFZLkuC3iHuaEt5mnwNkOyc9w eK3QRqVUhcrbfEXTu0OujxZhVfP+iaeKTL8ANDNzTeBqdR79BgVlzvKcJbKvuktdlCLW sJsahccpQWtDFpcmL/e3Bo0FEM+4ovAg/zoQ7XWfdkJ4wUI56u/OVc1OhxlwuGWB4k6S Vumg==
X-Gm-Message-State: ALoCoQk52QpQVswe8aYqMaBzXiTEz8UFUNJtb0sFdGAjolevzTm/DfgnrE8aSQAMDOjWxUK02map
X-Received: by 10.112.49.162 with SMTP id v2mr3133945lbn.10.1387175546996; Sun, 15 Dec 2013 22:32:26 -0800 (PST)
Received: from [10.0.0.166] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by mx.google.com with ESMTPSA id sd11sm19447200lab.2.2013.12.15.22.32.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 15 Dec 2013 22:32:25 -0800 (PST)
Content-Type: multipart/alternative; boundary=Apple-Mail-2F59C203-6373-414A-B8B1-4D41A00A7A85
Mime-Version: 1.0 (1.0)
From: Leif Johansson <leifj@mnt.se>
X-Mailer: iPhone Mail (11B554a)
In-Reply-To: <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com>
Date: Mon, 16 Dec 2013 07:32:26 +0100
Content-Transfer-Encoding: 7bit
Message-Id: <D0008C27-16EE-41F9-954E-CA51536CD1F0@mnt.se>
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Tao Effect <contact@taoeffect.com>
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2013 06:32:33 -0000

> 16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker <hallam@gmail.com>om>:
> 
> 
> 
> 
> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
>>> And for someone who is accusing others of being 'fraudulent', not a good move to start off repeating figures already exposed as bogus like the oft repeated but still untrue claim of 600 CAs.
>> 
>> 
>> I thought the EFF was a reputable source.
>> 
>> There has been no update or correction to their post: https://www.eff.org/deeplinks/2011/10/how-secure-https-today
> 
> Which kind of calls their credibility into question. HALF the 'CAs' in their graph are from the DFN root. You can check that out for yourself, it is a German CA that issues certs to higher education institutions. As has been demonstrated (and agreed by the EFF people), DFN do not sign certs for key signing keys they do not hold.
> 

yep, DFN is a 'private' sub-CA under tight control but it could still be attacked the way diginotar was and though I believe their secuity is a lot better than their less fortunate Dutch cousins, a successful attack would be just as bad.

> You can't calculate the number of CAs the way the EFF tried to. An intermediate certificate does not equate to a CA. Pretending it does to peddle an alternative PKI scheme calls into question their veracity.
> 
> I have tried to get members of the EFF board to look into this but they never get back. Too much trouble to get it right.
> 
> 
>>> Tying the notary log to namecoin seems to be completely pointless to me, unless the real objective is to promote namecoin. Why hook into namecoin rather than the market leader? 
>> 
>> 
>> What market leader?
> 
> I was under the impression that Bitcoin was the preferred currency of libertopia. It is the only one that gets mention in the mainstream press. It is not clear to me how namecoin can be part of BitCoin and another currency.
> 
>  
>>> Given the success of the US government in shutting down eGold type schemes I am very skeptical about the stability of 'namecoin'. If we accept the purported scenarios that motivate the scheme then namecoin won't last very long.
>> 
>> What eGold scheme are you comparing Namecoin to?
> 
> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by the Feds.
> 
>  
>> Are you sure you know what you're talking about here...? ;-)
> 
> I must admit that I find the scheme completely confused and assumes that I know a lot that I do not.
> 
> I might be a little more inclined to make an effort if you hadn't attacked me as being 'fraudulent' in your opening.
>  
> 
> -- 
> Website: http://hallambaker.com/
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey