IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 01 November 2012 18:01 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2DCD21F9186 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 11:01:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJo-BW8zGYIw for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 11:01:41 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 6160921F9122 for <therightkey@ietf.org>; Thu, 1 Nov 2012 11:01:41 -0700 (PDT)
Received: from sn84.proper.com (sn84.proper.com [75.101.18.84]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id qA1I1cWe098134 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <therightkey@ietf.org>; Thu, 1 Nov 2012 11:01:38 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <544B0DD62A64C1448B2DA253C0114146069F66FC37@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Date: Thu, 01 Nov 2012 11:01:37 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <F2F5DA35-5768-48C0-8C77-B730F99ED96A@vpnc.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <70E51AD3-D937-416E-8F3C-60B6156190DC@vpnc.org> <CAMm+LwgSrwBO=cD5zQ5G1PG0YyC7gvG7cWGqhL1KhPectG6Y+w@mail.gmail.com> <DDDF8726-F491-46AB-9A4A-AFB99006A393@vpnc.org> <42F98BCB-17F8-427E-8E9D-33A04978A339@vpnc.org> <CAMm+LwihwHFYcAkJvjRe7Js9AJkS8s6ZooxJnE526UOsWHGCuw@mail.gmail.com> <A09B4DFF-936C-488C-9915-B5F9A579FA1F@vpnc.org> <CABrd9STFeAxxmFDCZMkREXyEcKbeeQbF8ZeESXcoKPnkckdZwQ@mail.gmail.com> <CAMm+Lwg6EoSy-p7US0uZtKjxGHF39iH-0mvxg-hJ+AqK4vXL-A@mail.gmail.com> <CABrd9SRa9Ye9gkjpaQ+PqQyay9NKJB__dkDwOBwPHvw16dkTRg@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <CABrd9S! ! R4y5nRm-AP6t5_HzUO+CROwh+KnVn48_9hMTFQ4A93=Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069F66FC37@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
To: "therightkey@ietf.org" <therightkey@ietf.org>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 18:01:42 -0000

On Nov 1, 2012, at 10:08 AM, Rick Andrews <Rick_Andrews@symantec.com> wrote:

>> As someone who has to trust every CA in the root pile in my browsers
>> and OSs, I find it frightening that a CA who can say "this is your
>> bank's certificate" cannot handle new requirements for how to say that.
>> If adopting a simple protocol like this causes an ossified CA too many
>> problems, maybe I don't trust that CA to be able to issue certificates
>> for my bank, much less to be able to know which certificates that they
>> are actually issuing.
> 
> Paul, I find your statements to be oversimplifications:
> 
> 1) That the CT protocol is simple: I've been trying to make the point on this list that it may be conceptually simple but pretty difficult to implement to the scale that is required.

Required by whom? Your scale arguments have, I believe, been that we need the same number of CAs in the root pile as we do now, and that we need dozens of auditors for the relying parties to choose from. For me as a relying part, neither of those are true.

If I'm wrong about my interpretation of your scale arguments, by all means start a new thread on this list with a concise statement of what you think is required for scaling. 

> 2) That CAs can't handle new requirements:

That's silly: I believe that many CAs can handle the new requirements just fine.

> I'm not convinced that CT is the silver bullet that some appear to claim it is.

Now you're putting words in other people's mouths, not a great tactic in the IETF. The term "silver bullet" has not appeared on this list, and I don't remember anyone using anything at all similar when describing certificate transparency.

> If you were referring to my statements on this list, please don't interpret my criticism as inability to handle new requirements.

I didn't.

> I think a debate on the merits is healthy.

Yes, that's why we are all here.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email