IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Rob Stradling <rob.stradling@comodo.com> Thu, 01 November 2012 20:00 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BA421F9493 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.166
X-Spam-Level:
X-Spam-Status: No, score=-6.166 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwNGaxfGBWYg for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:00:06 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id F3ED621F948B for <therightkey@ietf.org>; Thu, 1 Nov 2012 13:00:05 -0700 (PDT)
Received: (qmail 23765 invoked from network); 1 Nov 2012 20:00:04 -0000
Received: from ian1.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 1 Nov 2012 20:00:04 -0000
Received: (qmail 28949 invoked by uid 1000); 1 Nov 2012 20:00:03 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Thu, 01 Nov 2012 20:00:03 +0000
Message-ID: <5092D4C1.2000701@comodo.com>
Date: Thu, 01 Nov 2012 20:00:01 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD! 62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <59E2ABDF-EF90-4BBF-BC45-048BF4C2B848@vpnc.org> <5092C4F7.106! 0908@comodo.com> <B02347BF-059C-40B1-AD2E-572EBFFD3869@vpnc.org>
In-Reply-To: <B02347BF-059C-40B1-AD2E-572EBFFD3869@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: therightkey@ietf.org
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 20:00:07 -0000

On 01/11/12 19:54, Paul Hoffman wrote:
> On Nov 1, 2012, at 11:52 AM, Rob Stradling <rob.stradling@comodo.com> wrote:
>
>> On 01/11/12 16:46, Paul Hoffman wrote:
>>> On Nov 1, 2012, at 9:29 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>>>
>>>> This is about barely capable sysadmins.
>>>>
>>>> Different problem.
>>>
>>>>  From the perspective of the relying party (me, caring about making a secure connection to my bank), the problems are indistinguishable. A CA who retains a sysadmin who is barely capable
>>
>> Paul, this is about barely capable sysadmins _at your bank_, not at the CA.
>>
>> (Ben wrote "The process of participating in CT for a _server operator_ is...")
>
> OK, maybe I'm confused here, or maybe you are. If my bank has a certificate issued by a CA who is actively participating in CT, there is no requirement on the bank at all, correct?

If by "actively participating" you mean that the CA has embedded the CT 
proof in the cert, then yes, there is no requirement on the bank.

If the CA instead embeds the CT proof in OCSP Responses relating to the 
cert, then there is no requirement on the bank apart from to use OCSP 
Stapling.

If the CA is not participating in either of these 2 ways, then there is 
a requirement on the bank (aka the "server operator"), which may or may 
not be rocket science, depending on your opinion.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email