Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Bruno Harbulot <> Mon, 18 October 2010 17:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CDC563A6B97 for <>; Mon, 18 Oct 2010 10:50:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AWL=-1.200, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sO7+d7qN4cGp for <>; Mon, 18 Oct 2010 10:50:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A5C003A6B8B for <>; Mon, 18 Oct 2010 10:50:04 -0700 (PDT)
Received: from ([]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <>) id 1P7trw-000Jsc-J7 for; Mon, 18 Oct 2010 18:51:32 +0100
Received: from ([]:56888 helo=mymachine) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <>) id 1P7trw-00085N-FP for; Mon, 18 Oct 2010 18:51:32 +0100
Message-ID: <>
Date: Mon, 18 Oct 2010 18:51:32 +0100
From: Bruno Harbulot <>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20100821 Lanikai/3.1.3pre
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: Bruno Harbulot from (mymachine) []:56888
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Oct 2010 17:50:06 -0000

On 04/10/10 21:04, Phillip Hallam-Baker wrote:
> <Lots of statements concerning how CAs work>
> For the past five years, CA certificates have been divided into Domain
> Validated and Extended Validated. As some of you know, I instigated the
> process that led to the creation of EV certs because I was very worried
> about the low quality of many DV certificates.
> Some DV certificates are of very low quality. Which is why I would like
> to see the padlock icon phased out entirely. Why does the user need to
> know if encryption is being used at all?

I'm still not convinced about the greatness of EV certificates.

Why should an organization that wants to deploy its own PKI have to 
depend on one of the big players who've managed to get their signature 
hard-coded into browsers?

How beneficial are EV certs for the end-users? Green-bar secure v.s. 
Blue-bar insecure (or less secure) really is a confusing 

A DV certs bind a cert to a domain, whereas an EV cert bind a cert to a 
company name. However, some companies use domain names that have nothing 
to do with their company name, and which could look like competitors 

Best wishes,