IETF Logo Mail Archive

[therightkey] Barely-capable CAs

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 01 November 2012 15:14 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7855221F8C9E for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 08:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDDeGg1YTwlr for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 08:14:58 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id D29ED21F8C9C for <therightkey@ietf.org>; Thu, 1 Nov 2012 08:14:57 -0700 (PDT)
Received: from [10.20.30.101] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id qA1FEu0R091470 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <therightkey@ietf.org>; Thu, 1 Nov 2012 08:14:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com>
Date: Thu, 01 Nov 2012 08:14:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <70E51AD3-D937-416E-8F3C-60B6156190DC@vpnc.org> <CAMm+LwgSrwBO=cD5zQ5G1PG0YyC7gvG7cWGqhL1KhPectG6Y+w@mail.gmail.com> <DDDF8726-F491-46AB-9A4A-AFB99006A393@vpnc.org> <42F98BCB-17F8-427E-8E9D-33A04978A339@vpnc.org> <CAMm+LwihwHFYcAkJvjRe7Js9AJkS8s6ZooxJnE526UOsWHGCuw@mail.gmail.com> <A09B4DFF-936C-488C-9915-B5F9A579FA1F@vpnc.org> <CABrd9STFeAxxmFDCZMkREXyEcKbeeQbF8ZeESXcoKPnkckdZwQ@mail.gmail.com> <CAMm+Lwg6EoSy-p7US0uZtKjxGHF39iH-0mvxg-hJ+AqK4vXL-A@mail.gmail.com> <CABrd9SRa9Ye9gkjpaQ+PqQyay9NKJB__dkDwOBwPHvw16dkTRg@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <CABrd9S! R4y5nRm-AP6t5_HzUO+CROwh+KnVn48_9hMTFQ4A93=Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com>
To: "therightkey@ietf.org" <therightkey@ietf.org>
X-Mailer: Apple Mail (2.1499)
Subject: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 15:14:58 -0000

On Nov 1, 2012, at 2:10 AM, Ben Laurie <benl@google.com> wrote:

> Its only software. The process of participating in CT for a server operator is:
> 
> 1. Run command line tool once, giving it your certificate as input and
> an SCT file as output.
> 
> 2. Add one line of configuration to your server config.
> 
> Not exactly rocket science. If people _really_ find it hard, we could
> build it into the servers so there was no manual step at all.

As someone who has to trust every CA in the root pile in my browsers and OSs, I find it frightening that a CA who can say "this is your bank's certificate" cannot handle new requirements for how to say that. If adopting a simple protocol like this causes an ossified CA too many problems, maybe I don't trust that CA to be able to issue certificates for my bank, much less to be able to know which certificates that they are actually issuing.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email