Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Andrew Sullivan <> Mon, 04 October 2010 19:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A2753A6E69; Mon, 4 Oct 2010 12:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WQ0YR8f-TsXU; Mon, 4 Oct 2010 12:17:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 91FE63A6E62; Mon, 4 Oct 2010 12:17:23 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 20C181ECB41D; Mon, 4 Oct 2010 19:18:18 +0000 (UTC)
Date: Mon, 4 Oct 2010 15:18:16 -0400
From: Andrew Sullivan <>
To: Phillip Hallam-Baker <>
Message-ID: <>
References: <> <1285970705.1984.136.camel@mattlaptop2.local> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Mailman-Approved-At: Mon, 04 Oct 2010 13:17:18 -0700
Cc: Tony Finch <>, "" <>,, "" <>, "" <>, "" <>
Subject: Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Oct 2010 19:17:24 -0000

On Sun, Oct 03, 2010 at 11:14:23AM -0400, Phillip Hallam-Baker wrote:
> What is actually being proposed is to replace the fifteen year established
> system of CAs with a new scheme starting in November.

[. . .]

> I really don't think that we want to replace the existing infrastructure a
> new PKI designed by people who claim not to understand the issues involved.
> As the proposers of this scheme have done repeatedly.

Suppose all of that is true (and I think it's a gross
misrepresentation of the situation, but never mind that), so what?
Presumably, if this new PKI sucks as much as you say it does, nobody
will use it, and no harm will come.  If it's a kind of snake oil that
appeals to the clueless (i.e. it sucks as much as you say it does, but
it's jumped up and marketed in a way that lures people who don't know
any better), then it will have some spectacular failure and everyone
will thenceforth avoid it.  So what's the problem, even if things are
as bad as you say?

Also, why isn't this on the list devoted to this discussion (followup set)?


Andrew Sullivan
Shinkuro, Inc.