Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
Phillip Hallam-Baker <hallam@gmail.com> Mon, 18 October 2010 18:17 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE9AE3A6E2C for <tls@core3.amsl.com>; Mon, 18 Oct 2010 11:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.402
X-Spam-Level:
X-Spam-Status: No, score=-2.402 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLPk4FoXswoQ for <tls@core3.amsl.com>; Mon, 18 Oct 2010 11:17:36 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 1EA083A6DE0 for <tls@ietf.org>; Mon, 18 Oct 2010 11:17:35 -0700 (PDT)
Received: by gwaa18 with SMTP id a18so211518gwa.31 for <tls@ietf.org>; Mon, 18 Oct 2010 11:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=du+sIxUeXRWXZHQJKFeRUmObq1mfYQ2gmEbByGjwivQ=; b=j9l7yRlbm5o5k9gRm/ePe5C5ms3gsuE+gVNowLESOEyDXb30T25cUdNJTAGvfACrvB Z4tnaY/AIoE9c5KD0/uJkd3kjShmQmvGRhfM0/rqJr/p6Ugg2RAiDgfMReB1wJW//jNg Us8TBgQk52aEpKwD/RLBmOfKetfU5Hss8LA+E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=YuW9J25zLQE47FsXzXmh2HHpXSi1N9m2ad02y2u5+dfChkvJ5RSw+7yKNCD5/GhVaS kpeQ9gmQTComCm3Ptgdq69Ess9m+1jTibrDBCdwDoM63HpXVtypz0WqrL8ql9NM246+3 qbNJrjhSRpycoeZkGGEcdDZGq/513iQQcWBNM=
MIME-Version: 1.0
Received: by 10.239.190.141 with SMTP id x13mr340997hbh.54.1287425943173; Mon, 18 Oct 2010 11:19:03 -0700 (PDT)
Received: by 10.239.156.141 with HTTP; Mon, 18 Oct 2010 11:19:02 -0700 (PDT)
In-Reply-To: <4CBC8924.7080001@manchester.ac.uk>
References: <AANLkTik4MeDWDRxXLkPd8k6HPVeKY9_7p4FQWzyXwvFD@mail.gmail.com> <201010041437.o94EbTHT029454@fs4113.wdf.sap.corp> <AANLkTinwihQa4qO1a8o=j82Csx6qMgyTGFmS+ccsbvrD@mail.gmail.com> <4CBC8924.7080001@manchester.ac.uk>
Date: Mon, 18 Oct 2010 14:19:02 -0400
Message-ID: <AANLkTi=cKVQf_Du4GS_MEgpFARXneuHxGTTG1YFJCoh-@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Content-Type: multipart/alternative; boundary="001485f5b1ec047ab00492e836ee"
Cc: tls@ietf.org
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 18:17:42 -0000
Looks like your mail went into hyperspace somehow, it only just arrived. EV is about accountability. The purpose of an EV cert is not to authenticate the holder, it is to demonstrate that the holder stands a higher risk of consequences that are designed to make it uneconomic to use EV certs for typical Internet crimes. They are certainly not the only security control that is needed in the Internet, but they are a very usefull one. On Mon, Oct 18, 2010 at 1:51 PM, Bruno Harbulot < Bruno.Harbulot@manchester.ac.uk> wrote: > > > On 04/10/10 21:04, Phillip Hallam-Baker wrote: > >> <Lots of statements concerning how CAs work> >> >> For the past five years, CA certificates have been divided into Domain >> Validated and Extended Validated. As some of you know, I instigated the >> process that led to the creation of EV certs because I was very worried >> about the low quality of many DV certificates. >> >> >> Some DV certificates are of very low quality. Which is why I would like >> to see the padlock icon phased out entirely. Why does the user need to >> know if encryption is being used at all? >> > > I'm still not convinced about the greatness of EV certificates. > > Why should an organization that wants to deploy its own PKI have to depend > on one of the big players who've managed to get their signature hard-coded > into browsers? > > How beneficial are EV certs for the end-users? Green-bar secure v.s. > Blue-bar insecure (or less secure) really is a confusing > over-simplification. > > A DV certs bind a cert to a domain, whereas an EV cert bind a cert to a > company name. However, some companies use domain names that have nothing to > do with their company name, and which could look like competitors instead: > http://www.ietf.org/mail-archive/web/tls/current/msg06528.html > > > Best wishes, > > Bruno. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Website: http://hallambaker.com/
- [TLS] Cert Enumeration and Key Assurance With DNS… Phillip Hallam-Baker
- Re: [TLS] Cert Enumeration and Key Assurance With… Ben Laurie
- Re: [TLS] Cert Enumeration and Key Assurance With… Phillip Hallam-Baker
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Matt McCutchen
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Phillip Hallam-Baker
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Ben Laurie
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Marsh Ray
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Phillip Hallam-Baker
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Peter Gutmann
- Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key… Phillip Hallam-Baker
- Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key… Tony Finch
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Michael StJohns
- Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key… Tony Finch
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Martin Rex
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Marsh Ray
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Ralph Holz
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Stephen Farrell
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Geoffrey Keating
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Martin Rex
- Re: [TLS] Cert Enumeration and Key Assurance With… Ondřej Surý
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Jeffrey A. Williams
- Re: [TLS] Cert Enumeration and Key Assurance With… Phillip Hallam-Baker
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Martin Rex
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Phillip Hallam-Baker
- Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key… Jakob Schlyter
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Michael StJohns
- Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key… Andrew Sullivan
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Jeffrey A. Williams
- [TLS] OtherCerts & pinning (Was: Re: [pkix] Cert … Stephen Farrell
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Martin Rex
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Kemp, David P.
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Ralph Holz
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Ondřej Surý
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Phillip Hallam-Baker
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Jeffrey A. Williams
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Seth David Schoen
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Marsh Ray
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Stephen Kent
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Paul Hoffman
- Re: [TLS] Cert Enumeration and Key Assurance With… Nicolas Williams
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Martin Rex
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Marsh Ray
- Re: [TLS] [saag] [pkix] Cert Enumeration and Key … Peter Gutmann
- Re: [TLS] [saag] [pkix] Cert Enumeration and Key … Yaron Sheffer
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Henry B. Hotz
- Re: [TLS] [saag] [pkix] Cert Enumeration and Key … der Mouse
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Carl Wallace
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Jeffrey A. Williams
- Re: [TLS] [DNSOP] [saag] [pkix] Cert Enumeration … Doug Barton
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Bruno Harbulot
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Phillip Hallam-Baker
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Martin Rex
- Re: [TLS] [pkix] Cert Enumeration and Key Assuran… Jeffrey A. Williams
- Re: [TLS] [DNSOP] [pkix] Cert Enumeration and Key… Paul Wouters