On 10 Feb 2012, at 01:22 , Stephen Kent wrote:
>> Or should we just be trusting a certification authority to do what it
>> says it will do in its CPS, perhaps just confirming that an email address
>> asserted in a certificate request is indeed accessible by the party that's
>> requesting a cert wi
On Wed, Feb 8, 2012 at 9:06 AM, Stephen Kent wrote:
So, I don't agree that the distinction between the user and a machine
operated by a user is really significant, in the end. (Yes, I am ware of
the many security problems that arise because the user doesn't really know
what the code is doing,
At 3:14 PM -0800 2/9/12, Joe St Sauver wrote:
Steve commented:
#I think we are in agreement. CAs that are not authoritative for asserted
#identities are as bad as federated trust entities with similar properties.
I tend to be a concrete thinker, so I hope you'll indulge me for a minute
in a con
Steve commented:
#I think we are in agreement. CAs that are not authoritative for asserted
#identities are as bad as federated trust entities with similar properties.
I tend to be a concrete thinker, so I hope you'll indulge me for a minute
in a concrete exercise related to your assertion.
-- As
The relevance to PKI is that those MITM CAs wouldn't be such a big
deal if they were useless. If anyone wants to continue down the "how
to get CB deployed" I agree we should continue on the http auth list.
___
therightkey mailing list
therightkey@ietf.or
At 11:29 PM +0100 2/9/12, DIEGO LOPEZ GARCIA wrote:
On 8 Feb 2012, at 20:30 , Stephen Kent wrote:
>...and I do agree with you in that whichever
entity making such assertion (X.509, SAML, JWT)
has to be authoritative for the identity
asserted if you want it to be usable.
I think we are in a
On Feb 9, 2012, at 7:35 PM, Nico Williams wrote:
> The only thing missing, of course, is web user authentication
> technologies that scale to the Internet and have channel binding
> support.
>
> I would like to see web userauth technologies that have support for
> channel binding.
>
> If such t
On Thu, Feb 9, 2012 at 7:49 AM, Phillip Hallam-Baker wrote:
I agree on the problem of Web middleboxen being a problem.
What I really dislike about the BlueCoat solution is that it is
transparent. Which is of course why enterprises like them. They can
just deploy and forget. The fact that the
On 8 Feb 2012, at 20:30 , Stephen Kent wrote:
> I think the real issue, which you ay have overlooked in my comments
> above, is the notion that the best candidate for a CA is an entity
> that is authoritative for the identity asserted in the cert.
I cannot agree more with you in that statement. A
Parts of what is being described sound a lot like the stuff we're putting into
PLASMA (although I think we're looking at different terms for some of it). The
issue will be in how to re-use the bits in PLASMA and in REPUTE (which, I admit
to not having looked at, but from this exchange sounds lik
At 8:22 PM -0500 2/8/12, Phillip Hallam-Baker wrote:
Alice has three mobile phones and six laptops.
Using embedded keys in those devices for authorization is no problem
since each device can have a separate private key and the
authentication server tracks the fact that there are nine devices tha
At 2:40 PM -0800 2/8/12, Bill Frantz wrote:
On 2/7/12 at 11:55, k...@bbn.com (Stephen Kent) wrote:
Keys are not really great identifiers; they change,
Keys don't change. People or programs may wish to change the keys
they are using, but keys themselves are constant.
Touche! You're right, b
The only thing missing, of course, is web user authentication
technologies that scale to the Internet and have channel binding
support.
I would like to see web userauth technologies that have support for
channel binding.
If such technologies were in widespread use then MITM CAs would be
useless,
On Thu, Feb 9, 2012 at 9:49 AM, Phillip Hallam-Baker wrote:
> I agree on the problem of Web middleboxen being a problem.
>
> What I really dislike about the BlueCoat solution is that it is
> transparent. Which is of course why enterprises like them. They can
> just deploy and forget. The fact that
I agree on the problem of Web middleboxen being a problem.
What I really dislike about the BlueCoat solution is that it is
transparent. Which is of course why enterprises like them. They can
just deploy and forget. The fact that the purpose of the box is to
violate core assurances in the Web UI is
On Thu, Feb 9, 2012 at 7:16 AM, Phillip Hallam-Baker wrote:
> Agreed, but!
No but, we agree on the rest regarding e-mail as well, and some of
what you say is a restatement of what I said. You go further and note
that the very fact that PGP and such public keys and capabilities are
divorced from
One component that appears in three of the proposals input to this
discussion is an 'append only' notary. While the precise role and
implementation of the notary changes there are some common features:
* Use of the Harber/Stornetta catenate certificate approach (aka hash
chains, Merkle trees etc)
Agreed, but!
Let us drop the end to end ideology in the dustbin and accept that
email is an MTA to MTA protocol, or to be more precise it is three
protocols:
MUA -> MTA: SMTP/SUBMIT or HTTP
MTA -> MTA: SMTP
MTA -> MUA: POP / IMAP or HTTP
Note the presence of HTTP. People have been discussing
18 matches
Mail list logo
