Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
Rob Stradling <rob.stradling@comodo.com> Fri, 03 January 2014 15:28 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C68B61ADEBF for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 07:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.29
X-Spam-Level:
X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBqmuZhtr_FT for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 07:28:21 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id A45F01ADEB7 for <therightkey@ietf.org>; Fri, 3 Jan 2014 07:28:19 -0800 (PST)
Received: (qmail 23041 invoked by uid 1000); 3 Jan 2014 15:28:11 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Fri, 03 Jan 2014 15:28:11 +0000
Message-ID: <52C6D70B.30600@comodo.com>
Date: Fri, 03 Jan 2014 15:28:11 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Leif Johansson <leifj@mnt.se>, therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org> <52C6A819.4040509@mnt.se> <52C6B9F9.7010304@net.in.tum.de> <52C6C966.3090606@mnt.se>
In-Reply-To: <52C6C966.3090606@mnt.se>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 15:28:24 -0000
On 03/01/14 14:29, Leif Johansson wrote: > On 2014-01-03 14:24, Ralph Holz wrote: >> Hi, >> >>> My understanding of what Jakob wrote is that he holds the key for a >>> subordinate CA. Unless the CA that "signed" that subordinate has >>> been removed from trust lists then that subordinate would still be >>> useful, yes. >> The subordinate certificate is blacklisted in browsers. Furthermore, >> Mozilla does not accept any non-root certs with MD5 signatures since >> mid-2011. >> >> Ralph > > Assumes you run an updated browser, right? Yes. There's only so much we can do to protect folks who don't update their browsers. It seems very unlikely that MD5 signatures are the biggest threat that they face. > Blacklisting isn't part of the PKIX trust model, but a band-aid used to > fix the lack of deployed/able revocation. So? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [therightkey] DNSNMC deprecates Certificate Autho… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Ali-Reza Anghaie
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Lambert
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Santosh Chokhani
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Carl Wallace
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] algorithm blacklisting Jacob Appelbaum