Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Mon, 18 October 2010 21:25 UTC

Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80BF13A6BCB for <tls@core3.amsl.com>; Mon, 18 Oct 2010 14:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[AWL=0.853, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9z-88HrUikz8 for <tls@core3.amsl.com>; Mon, 18 Oct 2010 14:25:44 -0700 (PDT)
Received: from elasmtp-galgo.atl.sa.earthlink.net (elasmtp-galgo.atl.sa.earthlink.net [209.86.89.61]) by core3.amsl.com (Postfix) with ESMTP id 08D553A6A82 for <tls@ietf.org>; Mon, 18 Oct 2010 14:25:43 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=td5SPcYuVgVcdW/7ux/MAYk30cxbGg2D/bGdtbweLrkOfYErACnn6AZjjYIyR4Dq; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.28] (helo=mswamui-blood.atl.sa.earthlink.net) by elasmtp-galgo.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1P7xDz-0005yt-Cx; Mon, 18 Oct 2010 17:26:31 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Mon, 18 Oct 2010 17:26:05 -0400
Message-ID: <93091.1287437165813.JavaMail.root@mswamui-blood.atl.sa.earthlink.net>
Date: Mon, 18 Oct 2010 16:26:05 -0500 (GMT-05:00)
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: mrex@sap.com, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606889621cea2a1756221b888080c77763bc2350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.28
Cc: tls@ietf.org
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 21:25:45 -0000

Martin and all,

  Execellent point!


-----Original Message-----
>From: Martin Rex <mrex@sap.com>
>Sent: Oct 18, 2010 1:28 PM
>To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
>Cc: tls@ietf.org
>Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
>
>EV vs. DV is primarily about "risk management", based on the
>flawed assumption that "green-bar" vs. blue-bar/white-bar 
>would affect user behaviour.
>
>Look at the real world:
>signin.ebay.<country> uses an EV-Cert, probably because ebay may
>have to pay for damages if someone steals user account credentials
>and abuses them.
>
>payments.ebay.<country> uses a DV-Cert, because the user bears all
>risks from his payment data getting leaked.
>
>
>-Martin
>
>
>
>Bruno Harbulot wrote:
>> 
>> On 04/10/10 21:04, Phillip Hallam-Baker wrote:
>> >
>> > For the past five years, CA certificates have been divided into Domain
>> > Validated and Extended Validated. As some of you know, I instigated the
>> > process that led to the creation of EV certs because I was very worried
>> > about the low quality of many DV certificates.
>> >
>> > Some DV certificates are of very low quality. Which is why I would like
>> > to see the padlock icon phased out entirely. Why does the user need to
>> > know if encryption is being used at all?
>> 
>> I'm still not convinced about the greatness of EV certificates.
>> 
>> Why should an organization that wants to deploy its own PKI have to 
>> depend on one of the big players who've managed to get their signature 
>> hard-coded into browsers?
>> 
>> How beneficial are EV certs for the end-users? Green-bar secure v.s. 
>> Blue-bar insecure (or less secure) really is a confusing 
>> over-simplification.
>> 
>> A DV certs bind a cert to a domain, whereas an EV cert bind a cert to a 
>> company name. However, some companies use domain names that have nothing 
>> to do with their company name, and which could look like competitors 
>> instead: http://www.ietf.org/mail-archive/web/tls/current/msg06528.html
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls

Regards,
Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827