On Thursday, 7 July 2016 01:52:23 UTC+1, Peter Gutmann wrote: > There wasn't any decision to leave it unaddressed, no-one had ever expressed > any interest in this at any point during the work on the previous protocols, > so there's nothing about it in any of the specs.
This claim is plainly false. Early drafts of SCEP, before it confined itself to "closed networks" even spell out what the problem is before they basically say they're not going to make any real attempt to tackle it. CMP, CMC and SCEP all resort to saying that some "out of band" mechanism should be used to verify that the applicant is or controls the subject DN and treat this problem as completely out of scope. Even by 2005 this should have seemed like weak sauce indeed. > If anyone did care about it, > it shouldn't be too hard to add support for it to any of the existing > protocols. "Schneier's Law" very much applies. > Well, it solves a problem that no previous protocol, or potential user of the > protocol, had even acknowledged as a problem before. Whether that's (a) worth > creating an entirely new protocol rather than just adding support for it to an > existing, long-established one and (b) will make said new protocol a success > when every other attempt to do this has failed, is another matter. Each week several hundred thousand certificates are issued using (an earlier draft of) ACME by what is now as a result one of the Web PKI's top five Certificate Authorities in terms of how many sites use its certificates. I'm content to label this "success" even before ACME becomes an RFC. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
