IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Lucy Lynch <llynch@civil-tongue.net> Thu, 01 November 2012 16:38 UTC

Return-Path: <llynch@civil-tongue.net>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B257321F8D73 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 09:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.855
X-Spam-Level:
X-Spam-Status: No, score=-101.855 tagged_above=-999 required=5 tests=[AWL=0.745, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TE4P5AsBAS7 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 09:38:34 -0700 (PDT)
Received: from hiroshima.bogus.com (hiroshima.bogus.com [IPv6:2001:418:1::80]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC2921F8D66 for <therightkey@ietf.org>; Thu, 1 Nov 2012 09:38:34 -0700 (PDT)
Received: from hiroshima.bogus.com (localhost [127.0.0.1]) by hiroshima.bogus.com (8.14.3/8.14.3) with ESMTP id qA1GcTDT069304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 1 Nov 2012 09:38:29 -0700 (PDT) (envelope-from llynch@civil-tongue.net)
Received: from localhost (llynch@localhost) by hiroshima.bogus.com (8.14.3/8.14.3/Submit) with ESMTP id qA1GcSw8069301; Thu, 1 Nov 2012 09:38:28 -0700 (PDT) (envelope-from llynch@civil-tongue.net)
Date: Thu, 01 Nov 2012 09:38:28 -0700
From: Lucy Lynch <llynch@civil-tongue.net>
X-X-Sender: llynch@hiroshima.bogus.com
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.1211010935330.60568@hiroshima.bogus.com>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <CABrd9SRa9Ye9gkjpaQ+PqQyay9NKJB__dkDwOBwPHvw16dkTRg@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="===============7172665379058522590=="
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 16:38:34 -0000

On Thu, 1 Nov 2012, Phillip Hallam-Baker wrote:

> This is about barely capable sysadmins.

I'm a barely capable sysadmin and the steps Ben outlined seem both 
reasonable and do-able to me. I also like the option to build it into the 
server where smart hands can build it into the default options for 
configuration -

- Lucy

> Different problem.
>
>
> On Thu, Nov 1, 2012 at 11:14 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>
>> On Nov 1, 2012, at 2:10 AM, Ben Laurie <benl@google.com> wrote:
>>
>>> Its only software. The process of participating in CT for a server
>> operator is:
>>>
>>> 1. Run command line tool once, giving it your certificate as input and
>>> an SCT file as output.
>>>
>>> 2. Add one line of configuration to your server config.
>>>
>>> Not exactly rocket science. If people _really_ find it hard, we could
>>> build it into the servers so there was no manual step at all.
>>
>> As someone who has to trust every CA in the root pile in my browsers and
>> OSs, I find it frightening that a CA who can say "this is your bank's
>> certificate" cannot handle new requirements for how to say that. If
>> adopting a simple protocol like this causes an ossified CA too many
>> problems, maybe I don't trust that CA to be able to issue certificates for
>> my bank, much less to be able to know which certificates that they are
>> actually issuing.
>>
>> --Paul Hoffman
>> _______________________________________________
>> therightkey mailing list
>> therightkey@ietf.org
>> https://www.ietf.org/mailman/listinfo/therightkey
>>
>
>
>
>
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey

v2.23.0 | Report a Bug | By Email