Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Phillip Hallam-Baker <> Mon, 16 December 2013 14:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0A30F1AE32D for <>; Mon, 16 Dec 2013 06:31:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O4FpLZ0y5sCr for <>; Mon, 16 Dec 2013 06:31:30 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c03::229]) by (Postfix) with ESMTP id 18F2D1AE323 for <>; Mon, 16 Dec 2013 06:31:29 -0800 (PST)
Received: by with SMTP id w61so4718021wes.28 for <>; Mon, 16 Dec 2013 06:31:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wmSLnIbqGIuDL2hgFrZjfGYzk/6KXyiPKKXjpNkxtFM=; b=yHqnlDNYPfX/2brPZKtQDKcEHF/kSuemiXQ1roDBjl84SuiB3tkw6awpPIsUTCs8e7 jGPLM2ckj+Eld8nZfj7bf8K1yGoUWZCdRLRTt7Z7vcHdRR+QLNi7+XLKCpxzQa3fYDmk bB4V5RmMj4sDHp6Uoj3IQ6QpwC78FmEABYn/OB+Pcz2KfjO+Be6rwLYppsAx5vEOTrFM uN1Q6QCa6Db78tIX3vMt5LvcS63xAp40YJ+7ygPSppFkL1WZxMr3FyJFpKmOBt2qv3YU 786qa14HQOYUEbND2ORLsSG5BD3j5jdcy3TSZlFj8Y7VvZFupwvzZlH+vTo15hke6jSN Udlg==
MIME-Version: 1.0
X-Received: by with SMTP id gk2mr4316781wib.32.1387204288839; Mon, 16 Dec 2013 06:31:28 -0800 (PST)
Received: by with HTTP; Mon, 16 Dec 2013 06:31:28 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Mon, 16 Dec 2013 09:31:28 -0500
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Leif Johansson <>
Content-Type: multipart/alternative; boundary=f46d04426f1cde081f04eda7aa35
Cc: "" <>, Tao Effect <>
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Dec 2013 14:31:32 -0000

On Mon, Dec 16, 2013 at 1:32 AM, Leif Johansson <> wrote:

> 16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker <>om>:
> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <> wrote:
>> And for someone who is accusing others of being 'fraudulent', not a good
>> move to start off repeating figures already exposed as bogus like the oft
>> repeated but still untrue claim of 600 CAs.
>> I thought the EFF was a reputable source.
>> There has been no update or correction to their post:
> Which kind of calls their credibility into question. HALF the 'CAs' in
> their graph are from the DFN root. You can check that out for yourself, it
> is a German CA that issues certs to higher education institutions. As has
> been demonstrated (and agreed by the EFF people), DFN do not sign certs for
> key signing keys they do not hold.
> yep, DFN is a 'private' sub-CA under tight control but it could still be
> attacked the way diginotar was and though I believe their secuity is a lot
> better than their less fortunate Dutch cousins, a successful attack would
> be just as bad.

That does not excuse

1) Failing to examine the issue when the DFN root accounted for half of the
purported '600 CAs'

2) Continuing to count the DFN as 300 CAs when they know it is one.

Putting out sloppy research and then failing to correct it when a mistake
is committed is the problem. If someone publishes a flawed study I expect
them to withdraw it when the errors are pointed out. I don't expect them to
say that they are going to continue to publish a number they know is out by
a factor of at least 2 because getting a correct number would be too much

If people are going to make pointed accusations about the trustworthiness
of others then they had better not continue to knowingly publish false data.

As with the 'Al Gore claimed to invent the internet' lie, this has become a
zombie lie that is repeated to make a political point by people who don't
really care if what they are saying is true or not.

I think that is a problem. And I am going to continue to point out that the
EFF is peddling a lie until they withdraw it.