IETF Logo Mail Archive

Re: [therightkey] Basically, it's about keeping the CAs honest

Martin Millnert <martin@millnert.se> Mon, 13 February 2012 23:50 UTC

Return-Path: <martin@millnert.se>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8684021E8010 for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 15:50:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mg0JkfawJugB for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 15:50:03 -0800 (PST)
Received: from ncis.csbnet.se (ncis.csbnet.se [95.80.1.101]) by ietfa.amsl.com (Postfix) with ESMTP id C665621F8546 for <therightkey@ietf.org>; Mon, 13 Feb 2012 15:50:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by ncis.csbnet.se (Postfix) with ESMTP id 6BF1672F; Tue, 14 Feb 2012 00:47:44 +0100 (CET)
Received: from ncis.csbnet.se ([127.0.0.1]) by localhost (ncis.csbnet.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ri+jFCEhQx+l; Tue, 14 Feb 2012 00:47:44 +0100 (CET)
Received: from [192.168.120.227] (h-189-4.a189.priv.bahnhof.se [85.24.189.4]) by ncis.csbnet.se (Postfix) with ESMTPSA id C33F4D9; Tue, 14 Feb 2012 00:47:43 +0100 (CET)
Message-ID: <1329176995.11318.16.camel@davinci.millnert.se>
From: Martin Millnert <martin@millnert.se>
To: Kyle Hamilton <aerowolf@gmail.com>
Date: Tue, 14 Feb 2012 00:49:55 +0100
In-Reply-To: <gym4oivefh5468lo64jezwJv4X.penango@mail.gmail.com>
References: <CAK3OfOhx_xbx1TrJL==BjmqVM8zZKDa8u4rQ7wCpKom4ZZODOg@mail.gmail.com> <gym4oivefh5468lo64jezwJv4X.penango@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-hlkJ77+DdgjY1IPOUe3C"
X-Mailer: Evolution 3.0.3-3
Mime-Version: 1.0
Cc: Nico Williams <nico@cryptonector.com>, therightkey@ietf.org, mrex@sap.com, Chris Palmer <palmer@google.com>
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 23:50:03 -0000

On Mon, 2012-02-13 at 15:22 -0800, Kyle Hamilton wrote:
> On Mon, Feb 13, 2012 at 3:16 PM, Chris Palmer <palmer@google.com> wrote:
> > On Mon, Feb 13, 2012 at 3:08 PM, Kyle Hamilton <aerowolf@gmail.com> wrote:
> > For network operators wanting to MITM their own client devices, the
> > solution is simple: install the MITM certificate as a trusted root
> > certificate at the time the device is provisioned (and/or in later
> > updates). Windows GPOs, for example.
> >
> > There is no need for such operators to get or use a *public* authority
> > for this purpose. Everybody wins; what's the problem?
> 
> Do you have any idea how hard some software (*cough*Firefox*cough*) currently makes it to provision trust anchors for anything, much less anything resembling this purpose?  Do you have any idea how much it costs to indoctrinate someone into the peculiar worldview where X.509 actually makes sense?

Solutions be plentiful, according to my <5 min evaluation of some search
results.*

/M
* https://duckduckgo.com/?q=firefox+windows+group+policy&kp=-1

v2.23.0 | Report a Bug | By Email