Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Paul Wouters <> Wed, 22 June 2011 20:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 23BC411E8152; Wed, 22 Jun 2011 13:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.549
X-Spam-Status: No, score=-6.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rjR-D4tDDjDf; Wed, 22 Jun 2011 13:25:37 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3AA1511E8157; Wed, 22 Jun 2011 13:25:25 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 08EE5C661; Wed, 22 Jun 2011 16:25:23 -0400 (EDT)
Date: Wed, 22 Jun 2011 16:25:22 -0400 (EDT)
From: Paul Wouters <>
To: Phillip Hallam-Baker <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Mailman-Approved-At: Tue, 28 Jun 2011 08:01:26 -0700
Subject: Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jun 2011 20:25:39 -0000

On Mon, 4 Oct 2010, Phillip Hallam-Baker wrote:

> 2) Sanction CAs that issue unauthorized certificates

What would you say a valid sanction would be for a CA that issues a bad
certificate for 10 major websites like Mozilla and Yahoo?

What should the sanction be for a CA whose reseller's subCAs issues such
bad certificates?

What would the sanctions be for non-FQDN EV certs issued?

What would the current total sanction be for Comodo, a player who has
someone as honourable as you working for them based on last year's events
plus EV violations detected via the SSL observatory data?

How could an external party review the set of unknown serials revoked by
Comodo to determine the kind/amount of sanction?

Would Comodo's "licencse" have been revoked, or would the sanctions have
been limited by money? If so, would the money be in absolute value or
percantage of profit/turnover?

What would or could Comodo have done differently if such a sanction had
been applied?

There is really only one sanction everyone can determine by themselves
to apply to any CA, the decision to trust them more or less then
themselves. If the latter, DNSSEC with DANE is an excellent choice. Feel
free to interpret DANE as each TLS owner's "sanction".