Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Tony Finch <dot@dotat.at> Sun, 03 October 2010 16:10 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 237D33A6D70; Sun, 3 Oct 2010 09:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[AWL=-1.394, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5HZYe-tdRMDC; Sun, 3 Oct 2010 09:10:09 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by core3.amsl.com (Postfix) with ESMTP id 8CCB33A6CE2; Sun, 3 Oct 2010 09:10:06 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from [87.115.122.141] (port=58347 helo=[192.168.1.5]) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:587) with esmtpsa (PLAIN:fanf2) (TLSv1:AES128-SHA:128) id 1P2R9N-0004Nu-rx (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Sun, 03 Oct 2010 17:10:58 +0100
References: <AANLkTinRWJZr7huuG+Ovh3sCCUnVZAghggAzmq7g6ERx@mail.gmail.com> <1285970705.1984.136.camel@mattlaptop2.local> <AANLkTi=cD1E=QoD3uRyhHyd6bUSgd9_ibgdM5iy1+9TR@mail.gmail.com> <AANLkTimtc1aT0r+oTJYpjixTSiE+gwpORszjPYz7y7PE@mail.gmail.com> <4CA7E120.6080701@extendedsubset.com> <B7C7EE71-D872-403F-A0F4-7622BABC4C3D@dotat.at> <AANLkTinUAM9t29r+Y9fBhXHV-TWouS3hEs0N_Ai_z=Ey@mail.gmail.com>
In-Reply-To: <AANLkTinUAM9t29r+Y9fBhXHV-TWouS3hEs0N_Ai_z=Ey@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <63650FE8-08F0-4EF4-9F5F-2348DB9AB9FA@dotat.at>
X-Mailer: iPhone Mail (8B117)
From: Tony Finch <dot@dotat.at>
Date: Sun, 3 Oct 2010 17:10:39 +0100
To: Phillip Hallam-Baker <hallam@gmail.com>
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
X-Mailman-Approved-At: Sun, 03 Oct 2010 13:20:19 -0700
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Oct 2010 16:10:14 -0000

On 3 Oct 2010, at 16:14, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> 
> Moving from a market based solution with multiple CAs to a monopoly with one trust provider does not help at all. It makes the situation much worse because there is now no possibility of choice in the future.

It has the advantage of preventing a race to the bottom.

Note that there is a fair amount of choice available at lower levels in the DNS. So long as the registry provides a secure infrastructure, customers of secure registrars need not be concerned that insecure registrars can steal their names. There is no similar regulation of CAs.

Tony.
--
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/