On Mon, Feb 23, 2009 at 4:10 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 02/24/2009 02:01 AM, Kyle Hamilton: >> >> It's important to realize something rather important... security must >> be designed into the system from the ground up, and all pieces of a >> secure system must operate together properly. It's not *just* the CA, >> it's everything. > > Ideally yes, your are right... > >> Since we don't have a secure system, we need to find a way to make >> things as secure as possible given the lack of cooperation from the >> registrars/ICANN/browser vendors/CAs/users. > > ...but I think that the CAs would be the better equipped and capable parties > of those (beyond unilateral actions on part of the browser vendors, like > removing support for wild cards, IDN and numbers in domain names generally > and/or in certificates particularly). What's lacking is perhaps a policy > making those requirements. It's of course just my opinion on this matter...
Browser vendors can't take unilateral actions (except perhaps showing both the punycode and interpreted versions of the site name, and explicitly in the chrome breaking it into the 'protocol', 'host', 'port', and 'query string' portions of the URL). Removal of support for wildcards can't be done without PKIX action, if one wants to claim conformance to RFC 3280/5280. This is part of the reason why the CAB Forum was created. However, at this point, ICANN also needs to be brought into the discussion. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
