Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

Daniel Kahn Gillmor <> Mon, 01 June 2015 19:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0A4AC1B3233 for <>; Mon, 1 Jun 2015 12:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PlTJhsQCk_TY for <>; Mon, 1 Jun 2015 12:13:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3B5961B3231 for <>; Mon, 1 Jun 2015 12:13:28 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPSA id 91A07F984; Mon, 1 Jun 2015 15:13:24 -0400 (EDT)
Received: by (Postfix, from userid 1000) id 7CFEB1FF76; Mon, 1 Jun 2015 15:13:02 -0400 (EDT)
From: Daniel Kahn Gillmor <>
To: Michael Hamburg <>
In-Reply-To: <>
References: <> <> <> <> <>
User-Agent: Notmuch/0.20 ( Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Mon, 01 Jun 2015 15:13:02 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: Phillip Rogaway <>, TLS Mailing List <>, Charanjit Jutla <>
Subject: Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Jun 2015 19:13:30 -0000

On Mon 2015-06-01 14:33:16 -0400, Michael Hamburg wrote:
> I tried to get one from Comodo about a year ago.  It wasn’t advertised
> on their website but I asked one of their tech support folks.  They
> said that it was an experimental feature for business customers only,
> and would cost me something like $600.  I don’t remember if that was a
> 1-year or 3-year cert.

I just went back through my notes: in November 2014, i used a small
(~$5?) credit i had with to get a PositiveSSL Comodo
cert with ECC.  I couldn't figure out how to submit the ECC cert through
the web interface, so i opened their "live support"
chat, and got this suggestion:

>>> Unfortunately our system cannot parse ECDSA public keys. As an
>>> option you can purchase the cert here and you would need to submit a
>>> ticket to us for the manual cert activation.

>>> To submit a ticket, please follow this link:
>>> Please provide the cert or order ID, the request and approver and
>>> admin contacts in the ticket

I did that, and the confirmation e-mail came through about a half-hour

> Anyway you can get ECDSA certs relatively easily, but not cheaply; or
> at least, that’s how it was a year ago.

I found it was quick and cheap, but the UI/UX was not as streamlined as
I wanted it to be for a DV cert (i had to nag two humans, via chat and
the ticket system to make it happen, but it did happen promptly).

ymmv, of course,