<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It’s like a cross between the Tragedy of the Commons and the Wild West. The wide open space of the Internet without controls allows anyone to trash it without taking on responsibility for their actions. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Phillip Hallam-Baker [mailto:hallam@gmail.com] <br><b>Sent:</b> Thursday, November 10, 2011 6:59 PM<br><b>To:</b> ben@digicert.com<br><b>Cc:</b> EFF Observatory<br><b>Subject:</b> Re: [SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Just to re-iterate, <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>CAs stand willing ready and able to help here. But a big part of the reason that we have issues here is that the lines of responsibility are not clear.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It is like when you have two parents who both think the other is watching the child. That is when problems arise.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We need to clarify these lines of responsibility because we have at least two further cryptographic algorithm turnovers that will have to happen in the near future (after which the issue should only really arise if there is a major defect in one of the algorithms.). These are the RSA1024 turnover and the SHA-1 turnover.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Who has the speaking stick for those probably matters much less than that everyone knows who has it and they have at least some coercive power.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 10, 2011 at 7:50 PM, Ben Wilson <<a href="mailto:ben@digicert.com">ben@digicert.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>I have to agree with Phillip. Many application developers don't know how to<br>properly integrate PKI into their systems. For instance, some email system<br>providers still don't know what S/MIME is. Some applications ignore Policy<br>OID processing or simply skip revocation checking or chain processing or<br>whatever. Gate keeping is best performed by a programmable system that can<br>determine whether the signed blob is appropriate for its intended purpose.<br>But I'm not defending all CAs either. I've seen many examples of strange<br>blobs being passed off as certificates, but relying party systems need to be<br>able to reject these if they don't satisfy the criteria needed for<br>trustworthy processing.<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On 11/10/2011 12:14 PM, Phillip Hallam-Baker wrote:<o:p></o:p></p></div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>>See above. The primary responsibility for making sure<br>>the crypto is strong enough has to fall on the<br>>application provider.<br><br>>The CAs should provide a backup but this does not<br>>absolve the application designer from making the right<br>>choice.<br><br>>What I am objecting to here is that this exercise<br>>seems to only ever be interested in holding CAs<br>>accountable.<o:p></o:p></p></div></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><o:p></o:p></p></div></div></body></html>