On Dec 27, 3:21 am, Nelson B Bolyard <nel...@bolyard.me> wrote: > I think you're suggesting a cooperative agreement among CAs, whereby > once a cert was issued for a domain name by one CA, other cooperating > CAs would refuse to issue a cert for that same domain name. > Is that what you're suggesting?
Yes, but only for certificates where the customer has actively selected that we wanted to get listed in the database. > 1) What problem would this proposed "central database" solve? Would it > exist merely to keep CAs from inadvertently soliciting the customers of > their competitors? What other purpose, if any, would it achieve? The customer should be able to login an lock/unlock the certificate. Just like the registrar lock with domain names. If everyone checked trusted fraudlent certificates for high profile sites could be avoided. > 2) Would this lock a cert customer into a single vendor? Would it > prevent a party from enrolling for certs from several different CAs? > As an acquirer of certificates, I would not want to be "locked in" to > a single CA. It should be up to the customer to decide. I think that e.g. Paypal would love to have this security for their certificate. > 3) If some CAs agree to such an approach, and others do not, is it still > valuable? This is also what Eddy pointed out. Everyone in the trusted group would need to participate but browser vendors could insist on such system and get it through I think. > 4) I think this database effectively exists already, albeit in a > distributed (not centralized) fashion. If you want to know if the server > at a certain DNS name already has a cert, and who issued it, and when it > is due to expire, you can simply visit that server with an SSL client > on any (or all) of the usual SSL ports (443, 465, 993), get the server's > current cert, and get all that information from it. I suspect you know > this already. :) Yes, that is correct. I am not suggesting that all certificates get locked but instead that the customer can opt in for a guaranteed lock. > 5) There is an organization of cooperating CAs and browser makers, > known as the CA-Browser Forum (CABForum.org), the people behind EV. > They're probably the group to which proposals for CA cooperation > should be directed. They only admit CAs, and as Certstar is an RA, > I'm not sure you could become a member. But Comodo could represent you, > or perhaps invite you to participate in the mailing list. And you can > always send email to the email address on their web site. Sounds interesting. This was just an idea I got that I wanted to share with your all. As I said it needs some work or may not be useful at all :) Happy new year ! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
