Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Phillip Hallam-Baker <hallam@gmail.com> Mon, 18 October 2010 18:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE9AE3A6E2C for <tls@core3.amsl.com>; Mon, 18 Oct 2010 11:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.402
X-Spam-Level:
X-Spam-Status: No, score=-2.402 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLPk4FoXswoQ for <tls@core3.amsl.com>; Mon, 18 Oct 2010 11:17:36 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 1EA083A6DE0 for <tls@ietf.org>; Mon, 18 Oct 2010 11:17:35 -0700 (PDT)
Received: by gwaa18 with SMTP id a18so211518gwa.31 for <tls@ietf.org>; Mon, 18 Oct 2010 11:19:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=du+sIxUeXRWXZHQJKFeRUmObq1mfYQ2gmEbByGjwivQ=; b=j9l7yRlbm5o5k9gRm/ePe5C5ms3gsuE+gVNowLESOEyDXb30T25cUdNJTAGvfACrvB Z4tnaY/AIoE9c5KD0/uJkd3kjShmQmvGRhfM0/rqJr/p6Ugg2RAiDgfMReB1wJW//jNg Us8TBgQk52aEpKwD/RLBmOfKetfU5Hss8LA+E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=YuW9J25zLQE47FsXzXmh2HHpXSi1N9m2ad02y2u5+dfChkvJ5RSw+7yKNCD5/GhVaS kpeQ9gmQTComCm3Ptgdq69Ess9m+1jTibrDBCdwDoM63HpXVtypz0WqrL8ql9NM246+3 qbNJrjhSRpycoeZkGGEcdDZGq/513iQQcWBNM=
MIME-Version: 1.0
Received: by 10.239.190.141 with SMTP id x13mr340997hbh.54.1287425943173; Mon, 18 Oct 2010 11:19:03 -0700 (PDT)
Received: by 10.239.156.141 with HTTP; Mon, 18 Oct 2010 11:19:02 -0700 (PDT)
In-Reply-To: <4CBC8924.7080001@manchester.ac.uk>
References: <AANLkTik4MeDWDRxXLkPd8k6HPVeKY9_7p4FQWzyXwvFD@mail.gmail.com> <201010041437.o94EbTHT029454@fs4113.wdf.sap.corp> <AANLkTinwihQa4qO1a8o=j82Csx6qMgyTGFmS+ccsbvrD@mail.gmail.com> <4CBC8924.7080001@manchester.ac.uk>
Date: Mon, 18 Oct 2010 14:19:02 -0400
Message-ID: <AANLkTi=cKVQf_Du4GS_MEgpFARXneuHxGTTG1YFJCoh-@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Content-Type: multipart/alternative; boundary=001485f5b1ec047ab00492e836ee
Cc: tls@ietf.org
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 18:17:42 -0000

Looks like your mail went into hyperspace somehow, it only just arrived.

EV is about accountability. The purpose of an EV cert is not to authenticate
the holder, it is to demonstrate that the holder stands a higher risk of
consequences that are designed to make it uneconomic to use EV certs for
typical Internet crimes.

They are certainly not the only security control that is needed in the
Internet, but they are a very usefull one.

On Mon, Oct 18, 2010 at 1:51 PM, Bruno Harbulot <
Bruno.Harbulot@manchester.ac.uk> wrote:

>
>
> On 04/10/10 21:04, Phillip Hallam-Baker wrote:
>
>> <Lots of statements concerning how CAs work>
>>
>> For the past five years, CA certificates have been divided into Domain
>> Validated and Extended Validated. As some of you know, I instigated the
>> process that led to the creation of EV certs because I was very worried
>> about the low quality of many DV certificates.
>>
>>
>> Some DV certificates are of very low quality. Which is why I would like
>> to see the padlock icon phased out entirely. Why does the user need to
>> know if encryption is being used at all?
>>
>
> I'm still not convinced about the greatness of EV certificates.
>
> Why should an organization that wants to deploy its own PKI have to depend
> on one of the big players who've managed to get their signature hard-coded
> into browsers?
>
> How beneficial are EV certs for the end-users? Green-bar secure v.s.
> Blue-bar insecure (or less secure) really is a confusing
> over-simplification.
>
> A DV certs bind a cert to a domain, whereas an EV cert bind a cert to a
> company name. However, some companies use domain names that have nothing to
> do with their company name, and which could look like competitors instead:
> http://www.ietf.org/mail-archive/web/tls/current/msg06528.html
>
>
> Best wishes,
>
> Bruno.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
Website: http://hallambaker.com/