Re: CABForum place in the world

Thu, 08 Jan 2009 19:00:19 -0800 

Ian,

Ian G wrote:

On 8/1/09 23:35, Eddy Nigg wrote:

On 01/08/2009 11:44 PM, Ian G:


Well, what Firefox does is cert-exception-click-thru-ordeal; whereas
people are asking for key-continuity-management, with perhaps the
emphasis on the last word.



Well, is it than an endorsement for self-signed certs?




Oh, no, we are down on advocacy this week :)  Actually KCM works much 
better with CA-signed certs, because they help (quite a lot) with the 
"first visit" problem.


How ?

KCM is counter to everything in X.509 ?


If a server changes to a new cert with a new key, how will KCM work 
"much better" ?



If you follow the KCM logic, you would have to give an application 
warning, which is completely unwarranted under current standards.



Otherwise I can't
see the difference between what's requested and what already exists. The
only thing which would change perhaps is the case when ANY certificate
changes its state (replaced). Is this what is advocated?




Well, back in the old days, we all had to type in URLs and email 
addersses manually.  These days we have smart programs to remember what 
we do, what we accept, what we authorise.



Think of a bookmark.  Add a cert.  add a few whizzbangs in the bookmark 
manager, go from there....



It doesn't matter whether you type it or not when you are talking about 
SSL. Only what's on the network matters, ie. the cert that the server 
sends. The content of the cert is supposed to confirm the identity of 
the server. Much like, when you call somebody over the phone, their 
voice print (usually) confirm who you are talking to. URLs get 
redirected, phone numbers change. In all cases authentication is needed, 
whether somebody has fat fingers or is using bookmarks, or the redial 
button on a phone, whether somebody has a bad cold and sounds 
significantly different than using (their key changed :)). You still 
have to do your authentication. You may have a particular expectation of 
what key or what person is on the other end, but still you don't 
normally start communicating before you have confirmed the identity.



It feel rather annoyed if I'd have to confirm every new cert
encountered.



Yes, on the web we usually cannot do that ourselves, that's why we trust 
CAs to do the work for us. If we aren't happy with a particular CA's 
job, we don't have to trust them...

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to