Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Marsh Ray <marsh@extendedsubset.com>]

On 06/30/2010 11:41 AM, Martin Rex wrote:
>
> Recoloring a part of the browser toolbar is a feature developed
> by marketeers.  Unless it is clearly defined how things should
> work with protocols (rfc-2818 or draft-saintandre-tls-server-id-check)
> this approach is going to create new problems, because it completely
> ignores programmatic clients.

Not only that but it's "opt-in" validation on the part of the guy 
running the server (be they legitimate or attacker). I kinda thought it 
was the job of the CA to do their due diligence in authenticating the 
applicant all along, so now charging an applicant extra for the 
privilege of being thoroughly authenticated does not enhance their 
credibility in my view. Not to mention the reports that some trusted 
root CAs have a practice of issuing "sub CA" certificates. It seems that 
there is an unknown (but non-zero) number of these sub-CAs around, each 
having pretty much full authority to issue server certs that are trusted 
by your browser.

Although this is a subject of great interest to myself and others on the 
list, it might be drifting just slightly off-topic for the IETF TLS 
list. The RFCs that I've read mostly stick to the mechanics of the 
crypto, the data structures, and the protocol itself and (probably 
wisely) stay out of recommending in whom you should place your 
unrestricted trust. So I suggest we steer away from the terms "valid" or 
"invalid cert" unless we include enough specifics to have a meaningful 
discussion in the context of some specific RFCs.

- Marsh