On 02/12/2011 12:32 AM, From Stephen Schultze:
Who the subscriber is (not higher level validation, sanity check)
I still can't decipher this.
I didn't expected that you do :-)
what the requested host name is
There is no ambiguity in DANE.
Indeed, PAYPA1.COM, MICR0S0FT.COM, PAYPAL.DOM.COM,
BANK0FAMERICA.COM....all goes.
what's the purpose of a certificate
There is no ambiguity in DANE
Of course not, that's why we have this:
http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf
cryptographic weaknesses
Better done in the client.
Not done or insufficient implemented mostly due to backward
compatibility and other considerations.
A review of the requested properties in a certificate are an obvious
benefit, it's not unnecessary with keys-in DNS, it's not possible.
The only relevant properties are domain and key. The domain is
implicit and the key needs no review other than basic sanity checks
done in the client.
That's your opinion, I don't share it. Networks that repeatably are used
for those unfavorable purposes are happily served by the client, but CAs
don't necessarily issue certificates to them.
I readily concede that some CAs have revoked DV certs for sites that
were doing things that most people would consider "bad", and perhaps
that revocation actually prevented them from doing more "bad" things
(although I suspect that the vast majority of phishing/malware/etc
doesn't rely on HTTPS whatsoever).
True - did you wonder why? Did you hear about the complaints at Mozilla
about one such site that had a certificate from a CA?
I do know that millions of domains accused of such behavior have
been removed by just one NIC. Which is more "effective"?
How come that there were millions in first place? The most used TLDs are
however .BE, .COM, .EU, .NET, .EU, and .UK. and not .CN according to the
APWG.
But all of the above has to do with your claims about what
disadvantages DANE has relative to CA DV. You persistently ignore the
clear disadvantages of CA DV relative to DANE, such as exclusivity,
delegation, smaller surface area of vulnerabilities, etc.
That's because I don't believe it's a solution in itself, it can become
part and increase security clearly for all CA issues certificates
(including DV). Having this advantage in addition to the existing trust
model (one that is increasingly improving as well) is an excellent goal.
CAs stand to benefit greatly by leveraging DANE to add these
characteristics to their more highly validated certs. They should be
cheerleading such efforts (and several are).
They might have a particular agenda I don't share. Obviously I'll go for
something I believe in which is not what you are proposing.
Your pattern of reasoning, on the other hand, is to assert that DV CAs
simply "know best" -- therefore we should continue to let them insert
themselves into a process that could be run far more securely and
efficiently without a third party.
I believe that CAs provide exactly the value necessary to make a
difference which you think is superfluous.
I don't buy it.
Fine with me. Was nice discussing (again).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
