On 2/11/11 3:11 PM, Eddy Nigg wrote:
....improves reduces the spectrum of exploits... does this make any sense?
Thanks typo cop. I'm sure it's clear what I meant.
. It also places revocation power directly in the hands of the
subscriber.
That's the same as self-assertion. Most subscribers that have their
certificates revoked not due to their own request, are probably not very
happy about it. They certainly wouldn't revoke their own certificate and
it's not meant to be that way. The issuer is obviously not the same
entity as the end user - surprise.
It's the assertion by a third party that provides the value.
Today's DV CAs already rely on a self-assertion of domain control, and
they in turn assert that they observed this. In plain english, a DV
cert says, "The guy holding the corresponding private key asserted that
he controls the domain in question by replying to an email address at
the domain in question." It is a self-assertion via DNS.
Cryptographic validation of this self-assertion is precisely what signed
DNS enables, and DANE is the mechanism for doing so.
Any other assertions have no place in DV. You seem to think that DV CAs
also assert some vague guarantee to police the domain in question for
non-enumerated bad behaviors. Mozilla doesn't communicate any such
assertion to end users, nor do any other clients. Indeed, the recent
Mozilla security UI changes were done precisely to reduce any possible
confusion about this.
The only thing you are accomplishing is establishing potential liability
for yourself if someone can show that they suffered harm after
reasonably relying on a cert that you didn't effectively police as you
promised.
Steve
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
