IETF Logo Mail Archive

Re: [TLS] Deployment ... Re: This working group has failed

Peter Gutmann <p.gutmann@auckland.ac.nz> Sat, 30 November 2013 04:07 UTC

Return-Path: <p.gutmann@auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9FC71AE0BE for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 20:07:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3aUBedCXvaG for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 20:07:10 -0800 (PST)
Received: from mx1.auckland.ac.nz (mx1.auckland.ac.nz [130.216.125.243]) by ietfa.amsl.com (Postfix) with ESMTP id 869001AE0B7 for <tls@ietf.org>; Fri, 29 Nov 2013 20:07:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1385784430; x=1417320430; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=7Aw+Se81RcLwrPILCIPicBGl8rVNDrMzGs2ztn6Tle8=; b=bETEtIY04Li4R8r/eV9KFKaKsnCj7W5xKaCy0cqA58qOfZFNOx0kHEqa iGV3LEF4eSnUW60V984Iv/18POdLF2LZk+PTGCoTCL6OXFwPyApHk1F1P JTal6zhq78oSMFreVO6GA0RiRaw/zsjRytrsMKLd+IOMJ3TvDLQK/wiD1 Q=;
X-IronPort-AV: E=Sophos;i="4.93,799,1378814400"; d="scan'208";a="295975695"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx1-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 30 Nov 2013 17:07:07 +1300
Received: from UXCN10-6.UoA.auckland.ac.nz ([169.254.10.231]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0158.001; Sat, 30 Nov 2013 17:07:06 +1300
From: Peter Gutmann <p.gutmann@auckland.ac.nz>
To: Andy Lutomirski <luto@amacapital.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Deployment ... Re: This working group has failed
Thread-Index: Ac7tgaI4JNMJgY4tTJiGdHxlQRXsDg==
Date: Sat, 30 Nov 2013 04:07:06 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C736542186C@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Nov 2013 04:07:14 -0000

Andy Lutomirski <luto@amacapital.net> writes:

>Not at all.  I didn't say "bundled set of trust roots;" I said "explicitly
>chosen".

We already have explicitly-chosen trust roots, they're chosen by the browser
vendors.  Or are you expecting granny to select CAs herself?  And once you've
decided to "trust" enough CAs to make the web usable, how do you deal with the
fact that many of these same CAs will happily sell their certs to phishers,
drive-by download sites, and all the other stuff that they're supposed to be
protecting us from?

>Do you really think that "completely insecure against active attack" is a
>good option?

No, but I don't see what that has to do with trusting or not trusting CAs.

Peter.

v2.23.0 | Report a Bug | By Email