Frank Hecker: > > I don't want to go off on a tangent, but I think the Skype model is more > significant than you think.
There is a problem that nobody knows what encryption this is and which keys are involved and who has access to these keys etc. Skype is fine for me, but I wouldn't exchange anything critical with it, that's all. There is nothing wrong with it, but "security" isn't the main reason I'd use Skype for. > Take your idea of requiring identity verification for wildcard DV certs, > which is designed to address the hypothetical threat of people setting > up SSL-enabled phishing sites under their top-level domains (e.g., > paypal.example.com). There's are multiple cost to implementing such an > idea: a cost to CAs (who may have to change their procedures and product > offerings), Well, they do charge more for them anyway usually, not sure how much this would impact them. > a cost to cert subscribers (who may have to pay more for > certs), See above. > a cost to us (who have to figure out all the CAs doing wildcard > DV certs, and then try to persuade them to change what they're doing), > and potentially a cost to end users (e.g., if they can no longer access > sites because we decide to punish CAs by removing their roots or > disabling validation of certain wildcard certs). > I don't believe that we'd have to go that far. As Comod indicated, they would go for it if this would be applied across the band. So far I've found only two, Comodo and GoDaddy (the later isn't confirmed, only suspected). > So the specific question for me is as follows: Should I devote Mozilla > Foundation resources (including my own time) to trying to combat the > hypothetical Most threats are hypothetical if you will. They may exist in some for or the other. Correct is however that SSL certificates are hardly used for phishing attacks to start with, because or despite various protections CAs put in place for issuing them in first place. > threat posed by wildcard DV certs, a threat for which other > protection measures already exist and would appear to be effective, or > should I devote those resources to other tasks that arguably offer a > greater return on investment in terms of increased security, like say > getting more EV-qualified CAs approved to have their EV certs recognized > in Firefox? That's a pretty easy question for me to answer. > I think one thing isn't connected to the other. If it's this OR that, that would be a bad thing in any case. But I think we can agree that we disagree on both subjects of wild card and long-living certificates which are domain validated. As far as me concerns we had the (intensive) discussion (which is a good thing to have) and this subject can be put aside. I made the arguments and you made the decision and you take responsibility (what Mozilla concerns). -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
