Re: TLS server keys in DNS: client policy proposal

Thu, 10 Feb 2011 15:34:24 -0800 

On 2/10/11 5:36 PM, Eddy Nigg wrote:

On 02/10/2011 10:40 PM, From Stephen Schultze:

Until you actually explain why you think it's not correct that DV
relies on DNS,


I didn't say DV doesn't rely on DNS, almost everything on the [net] uses it.


Of course, but the fact that apps use DNS irrelevant.


You cut off the end of the sentence, which made clear that I was 
referring to how the *trust* of the CA model relies on blind trust of 
the data in DNS.  Any fundamental trust model shortcoming of DNS is 
likewise a shortcoming of CA DV.  You've never explained how you think 
this could be false.



FWIW, it should be obvious that the EV trust model does *not* rely on 
blind trust of DNS because it incorporates OOB confirmation of identity 
rather than just domain ownership.  This is a good thing.



or what beyond domain validation that you think DV actually does,
there's really nothing to respond to.


At least you could read the mail to which you responded originally. Here
the three points I mentioned again for your convenience:

One of the points to consider is anti-phishing and flagging features
built into CAs systems (not all, but some). Ability to revoke
certificates by a responsible third party is however probably a strong
point in favor for CA issued certificates, CA provided warranties on top
yet another.



You consistently implore that people respond to your points while 
refusing to answer or even acknowledge their reasoned responses when 
provided (including to the points you quoted above).  I literally 
answered them (again) here earlier today (and at more length, along with 
Matt McCutchen, in the m.d.s.p. thread that I linked to).



The only thing that Mozilla requires of DV CA's is that they validate 
domain ownership.  Anti-phishing and other punishments for actions that 
the CA doesn't approve of are irrelevant, and indeed Mozilla provides 
client-based mechanisms for mitigating these harms.  This avoids the 
policy pitfalls of trusting arbitrary internet intermediaries to act in 
a "responsible" fashion... whatever that means.



I really don't understand why this has been such a problem, given that 
your work and reasoning on other topics is so good.  It is a mystery to me.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

























					Reply via email to