Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Leif Johansson <leifj@mnt.se> Fri, 03 January 2014 12:08 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 825681ADF95 for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 04:08:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7PJyk0dfqthI for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 04:08:04 -0800 (PST)
Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA451ADF91 for <therightkey@ietf.org>; Fri, 3 Jan 2014 04:08:03 -0800 (PST)
Received: by mail-lb0-f178.google.com with SMTP id c11so8119600lbj.9 for <therightkey@ietf.org>; Fri, 03 Jan 2014 04:07:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=q/oBWuxJcL03NclLoI55zg1slQUDARfpBcndqZ4/Hhg=; b=C6RIgsD//ji1K3rdTZEf0T145h3Av/VhZiVBm4a3M12+F0d/AWzBS1O4vqY8734uir BO/elFcPgR213GcsE0xaZTvYg4m7Feuv6fHUpksUjabdMOl+5J+6SJswnYvFL89voezJ CsgwX9sEWpf02Az7JHm6M0YiQObEucXuXcYCP+03E4yFsCggsuQOszN3ZzHn/3lWd8y2 PRiX4WTXnWwg9mxlyGQoio1ZRSaSpFFMMj5IkqDp8BjjdRpW2Anx7DNdheDAcDP09FPQ VHLNbANjaxs4o//z2cY1HsbPij0ssIxNsVXYVvSB8d1TvNKxcLQBQRy6oQZL/BfKZKkN vX6w==
X-Gm-Message-State: ALoCoQmAujdiA9SlpNoP2S5/1Xk4/qPoHHaH+oB505oBWoVBPBIhCjtvDOQShIZNKNrx3pb6Khsv
X-Received: by 10.112.138.70 with SMTP id qo6mr20378777lbb.34.1388750876154; Fri, 03 Jan 2014 04:07:56 -0800 (PST)
Received: from [10.0.0.155] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by mx.google.com with ESMTPSA id bl6sm36409319lbb.5.2014.01.03.04.07.54 for <therightkey@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 Jan 2014 04:07:55 -0800 (PST)
Message-ID: <52C6A819.4040509@mnt.se>
Date: Fri, 03 Jan 2014 13:07:53 +0100
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org>
In-Reply-To: <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 12:08:08 -0000

On 2014-01-02 23:50, Paul Hoffman wrote:
> On Jan 2, 2014, at 10:57 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
>
>> I control the private key for the rouge CA that we created.
> True. However, that rogue CA is not trusted in any root pile, right? You holding a private key for a trusted CA was, appropriately a big deal. You holding a private key for an untrusted CA is uninteresting.
>

My understanding of what Jakob wrote is that he holds the key for a
subordinate CA. Unless the CA that "signed" that subordinate has been
removed from trust lists then that subordinate would still be useful, yes.