Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Leif Johansson <leifj@mnt.se> Fri, 03 January 2014 14:30 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAE9E1ADFB9 for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 06:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZeTmmEnSK9p for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 06:30:09 -0800 (PST)
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53]) by ietfa.amsl.com (Postfix) with ESMTP id 937661ADFBD for <therightkey@ietf.org>; Fri, 3 Jan 2014 06:30:08 -0800 (PST)
Received: by mail-la0-f53.google.com with SMTP id mc6so8024564lab.26 for <therightkey@ietf.org>; Fri, 03 Jan 2014 06:30:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=SFNfputpIU9tCsHXK2Eqos6d86WoQBAbpcC0j/PR57o=; b=iOlK34LuCqVG406YWSC8YlT4G3ERIIcmkJs/Qg7uQCn+gGMCuw5DMd5kSmPnBl03cV VBX0zd0vFcjF2gA0wdOSxhZxlT7ELsTfysyN0xnUQ70jRPtjBmcOLyVGJ2BMgaJn/luv 05d2yQwZIq7dDzKXagpsLPVdR/Keii6t+WzB5l2w6NUra/4901Et4yhwzFnYZFp5NwTf 5FeKSqKYIE/OwaruvHEbSybRqCnY98UM3L2H3yi9CiV129ouaICYUCIKqO6VlO5Srr+5 LmGHsxgdD8dAv8qs2DNjnEeESG3OktFC33vEmVX6yijAuxKyZvOK+OnEChTYRvh0+572 COOg==
X-Gm-Message-State: ALoCoQlNgT/5A5EFiABFAjif6xTIkgvTQULvEXEPGL6Jilj+2szv74h4Yu7CAggfwRDkSrJMJT6r
X-Received: by 10.152.4.74 with SMTP id i10mr634873lai.58.1388759400412; Fri, 03 Jan 2014 06:30:00 -0800 (PST)
Received: from [10.0.0.155] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by mx.google.com with ESMTPSA id j1sm36619581lbl.10.2014.01.03.06.29.59 for <therightkey@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 Jan 2014 06:29:59 -0800 (PST)
Message-ID: <52C6C966.3090606@mnt.se>
Date: Fri, 03 Jan 2014 15:29:58 +0100
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org> <52C6A819.4040509@mnt.se> <52C6B9F9.7010304@net.in.tum.de>
In-Reply-To: <52C6B9F9.7010304@net.in.tum.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 14:30:10 -0000

On 2014-01-03 14:24, Ralph Holz wrote:
> Hi,
>
>> My understanding of what Jakob wrote is that he holds the key for a 
>> subordinate CA. Unless the CA that "signed" that subordinate has
>> been removed from trust lists then that subordinate would still be
>> useful, yes.
> The subordinate certificate is blacklisted in browsers. Furthermore,
> Mozilla does not accept any non-root certs with MD5 signatures since
> mid-2011.
>
> Ralph
>

Assumes you run an updated browser, right?

Blacklisting isn't part of the PKIX trust model, but a band-aid used to
fix the lack of deployed/able revocation.

        Cheers Leif