On 2011-02-05 2:02 PM, Nelson B Bolyard wrote:
On 2011-02-05 13:28 PDT, Zack Weinberg wrote:
>> ...
There is a list/newsgroup focused specifically on the browser policy
governing the admittance of CAs to mozilla's root CA list. That probably
seems like the more obvious place, but it's where all the CA
representatives hang out, and some fear that any proposal that appears to
be intended to displace PKI will not get a fair hearing in that venue.
But feel free to brave mozilla.dev.security.policy if you wish.
Since the conversation has started here, let's keep it here for now.
I have been trying to stay out of any PKI versus DANE arguments, and
(as you may see from the proposal) I still see a role for "traditional"
CAs in providing additional validation beyond "the server for this DNS
name should be using this public key".
I think CAs still get most of their revenues from DV, and so perceive DANE
as a direct threat.
Quite possible.
However, I wouldn't especially miss the current state of affairs with
DV certification if DANE totally supplanted it.
Sadly, I'm sure you're not alone.
In this hypothetical, what would you consider to have been lost? (This
is not a rhetorical question, and in fact I have a concrete answer to it
myself, but I'd like to hear yours first.)
"bogus" in this case is a term-of-art defined by RFC 4033.
[...]
Yes, thanks for that info. I obviously wasn't aware of that definition.
Would a parenthetical reference to it in that sentence be redundant?
No, that's a good idea, I'll add one.
All the browsers live in mortal fear of losing market share. Anything
that causes users to TRY another browser is to be avoided at ALL COST.
Historically, unbypassable security errors have been among the leading
causes. The only way to get browsers to do it is to get ALL browsers
to do it at the same time. I believe that is not possible. Many failed
attempts by lots of people to make that happen back by belief.
Allow me my optimism for the moment, please. It certainly *was* the
case in the past that "anything that causes users to try another browser
is to be avoided at all cost" but I think that is no longer true, and
the STS experience says that browsers *can* manage un-bypassable
security errors with opt-in from the site (which DANE can be considered as).
Note that if we can't get this language (or any of the rest of it) into
the IETF's spec, my fallback plan is to put it forward as browser
consensus behavior for HTTPS, working through the W3C, the CABforum, or
WHATWG; so I don't think getting all browsers to do something at the
same time is impossible in this case.
If you're not on this list, please join it. Customarily, replies go only
to the list with no CC's to others.
I am reading it via the newsgroup.
zw
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
