[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]
Jacob Appelbaum
jacob at appelbaum.net
Wed Nov 9 11:51:03 PST 2011
On 11/09/2011 09:03 AM, Phillip Hallam-Baker wrote:
> On Wed, Nov 9, 2011 at 11:40 AM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net>wrote:
>
>>
>> Am i wrong in thinking that this makes the "please recount the number of
>> CAs" concern seem like a distraction from deeper issues?
>>
>
> No, not at all.
>
> If you want this to be a productive and constructive effort to make the CA
> system work better then there has to be trust on both sides.
>
That's pretty rich coming from Comodo!
> If we have people misrepresenting results to make false claims then CAs
> have to think twice before they respond to anything knowing that it may be
> used for 'gotcha' purposes later on.
>
The count given by Peter and the EFF makes sense based on the
explanations on this list.
Please show us all that the data collected is either invalid or that you
have a different dataset that somehow supersedes it.
>
> Remember that currently there are no industry wide criteria for issue of DV
> certs. We should have some very soon, but for fifteen years it was left to
> individual CAs to make policy. Now the reason that Melih and I convened the
> meeting that led to the formation of the CA-Browser forum was that we
> recognized that there was a problem here that we both wanted to fix.
>
ssladmin at domain.tld is still pretty much the way that people issue DV
certs. Hilariously bad - I should know, that's my default choice for a
new email address these days.
> There are many CAs that share the same goal of making the Internet trust
> system more reliable and trustworthy. But don't present this as something
> that is exclusively the fault of CAs. It is not (just) the fault of the
> goalkeeper when the ball ends up in the back of the net.
>
>
When will Comodo come clean about the entire Comodogate scandal?
This is almost entirely the fault of the CAs. What checks and balances
have you built to prevent these kinds of compromises from happening in
the first place?
> I don't actually see any problem with .local domains using SSL. The real
> problem comes from browsers telling end users that this means a site is
> 'safe'. So one approach would be to tell browser providers that when SSL is
> used at .local sites that the user should never see a padlock icon or any
> other security indicator in primary chrome.
I guess you just answered my last question, eh?
The world is more than browsers. This kind of thinking is why the fault
for a great deal of security failures rests on the shoulders of the CAs.
Sincerely,
Jacob
More information about the Observatory
mailing list