[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]

[Phillip Hallam-Baker]

On Wed, Nov 9, 2011 at 11:40 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net>wrote:

>
> Am i wrong in thinking that this makes the "please recount the number of
> CAs" concern seem like a distraction from deeper issues?
>

No, not at all.

If you want this to be a productive and constructive effort to make the CA
system work better then there has to be trust on both sides.

If we have people misrepresenting results to make false claims then CAs
have to think twice before they respond to anything knowing that it may be
used for 'gotcha' purposes later on.


Remember that currently there are no industry wide criteria for issue of DV
certs. We should have some very soon, but for fifteen years it was left to
individual CAs to make policy. Now the reason that Melih and I convened the
meeting that led to the formation of the CA-Browser forum was that we
recognized that there was a problem here that we both wanted to fix.

There are many CAs that share the same goal of making the Internet trust
system more reliable and trustworthy. But don't present this as something
that is exclusively the fault of CAs. It is not (just) the fault of the
goalkeeper when the ball ends up in the back of the net.


I don't actually see any problem with .local domains using SSL. The real
problem comes from browsers telling end users that this means a site is
'safe'. So one approach would be to tell browser providers that when SSL is
used at .local sites that the user should never see a padlock icon or any
other security indicator in primary chrome.



-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111109/7e681019/attachment.html>