Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> Mon, 18 October 2010 17:50 UTC

Return-Path: <Bruno.Harbulot@manchester.ac.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CDC563A6B97 for <tls@core3.amsl.com>; Mon, 18 Oct 2010 10:50:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Level:
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AWL=-1.200, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sO7+d7qN4cGp for <tls@core3.amsl.com>; Mon, 18 Oct 2010 10:50:04 -0700 (PDT)
Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by core3.amsl.com (Postfix) with ESMTP id A5C003A6B8B for <tls@ietf.org>; Mon, 18 Oct 2010 10:50:04 -0700 (PDT)
Received: from rankine.its.manchester.ac.uk ([130.88.25.196]) by serenity.mcc.ac.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Bruno.Harbulot@manchester.ac.uk>) id 1P7trw-000Jsc-J7 for tls@ietf.org; Mon, 18 Oct 2010 18:51:32 +0100
Received: from pulsar.rcs.manchester.ac.uk ([130.88.1.47]:56888 helo=mymachine) by rankine.its.manchester.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Bruno.Harbulot@manchester.ac.uk>) id 1P7trw-00085N-FP for tls@ietf.org; Mon, 18 Oct 2010 18:51:32 +0100
Message-ID: <4CBC8924.7080001@manchester.ac.uk>
Date: Mon, 18 Oct 2010 18:51:32 +0100
From: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9pre) Gecko/20100821 Lanikai/3.1.3pre
MIME-Version: 1.0
To: tls@ietf.org
References: <AANLkTik4MeDWDRxXLkPd8k6HPVeKY9_7p4FQWzyXwvFD@mail.gmail.com> <201010041437.o94EbTHT029454@fs4113.wdf.sap.corp> <AANLkTinwihQa4qO1a8o=j82Csx6qMgyTGFmS+ccsbvrD@mail.gmail.com>
In-Reply-To: <AANLkTinwihQa4qO1a8o=j82Csx6qMgyTGFmS+ccsbvrD@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: Bruno Harbulot from pulsar.rcs.manchester.ac.uk (mymachine) [130.88.1.47]:56888
X-Authenticated-From: Bruno.Harbulot@manchester.ac.uk
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 17:50:06 -0000

On 04/10/10 21:04, Phillip Hallam-Baker wrote:
> <Lots of statements concerning how CAs work>
>
> For the past five years, CA certificates have been divided into Domain
> Validated and Extended Validated. As some of you know, I instigated the
> process that led to the creation of EV certs because I was very worried
> about the low quality of many DV certificates.
>
>
> Some DV certificates are of very low quality. Which is why I would like
> to see the padlock icon phased out entirely. Why does the user need to
> know if encryption is being used at all?

I'm still not convinced about the greatness of EV certificates.

Why should an organization that wants to deploy its own PKI have to 
depend on one of the big players who've managed to get their signature 
hard-coded into browsers?

How beneficial are EV certs for the end-users? Green-bar secure v.s. 
Blue-bar insecure (or less secure) really is a confusing 
over-simplification.

A DV certs bind a cert to a domain, whereas an EV cert bind a cert to a 
company name. However, some companies use domain names that have nothing 
to do with their company name, and which could look like competitors 
instead: http://www.ietf.org/mail-archive/web/tls/current/msg06528.html


Best wishes,

Bruno.