[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]
Ben Wilson
ben at digicert.com
Thu Nov 10 16:50:54 PST 2011
I have to agree with Phillip. Many application developers don't know how to
properly integrate PKI into their systems. For instance, some email system
providers still don't know what S/MIME is. Some applications ignore Policy
OID processing or simply skip revocation checking or chain processing or
whatever. Gate keeping is best performed by a programmable system that can
determine whether the signed blob is appropriate for its intended purpose.
But I'm not defending all CAs either. I've seen many examples of strange
blobs being passed off as certificates, but relying party systems need to be
able to reject these if they don't satisfy the criteria needed for
trustworthy processing.
On 11/10/2011 12:14 PM, Phillip Hallam-Baker wrote:
>See above. The primary responsibility for making sure
>the crypto is strong enough has to fall on the
>application provider.
>The CAs should provide a backup but this does not
>absolve the application designer from making the right
>choice.
>What I am objecting to here is that this exercise
>seems to only ever be interested in holding CAs
>accountable.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111110/599a804a/attachment.bin>
More information about the Observatory
mailing list