On Wednesday, 26 April 2017 22:43:19 UTC+2, Ryan Sleevi  wrote:
> On Wed, Apr 26, 2017 at 4:02 PM, okaphone.elektronika wrote:
> > I think this is getting weird.
> >
> > At first (some other thread) it get's explained that e.g. LetsEncrypt does
> > not do anything beyond domain validation and possibly on notification take
> > down a few certificates of phishing site. And that was "... all OK because
> > we want SSL to be used everywhere, and anyway domain validation means just
> > that, nothing more..."
> >
> > And now you guys are suddenly seeing problems in wild card certificates
> > "... because it could be use for phishing..." Ehm, what?
> Could you point to examples? I think the tone of this thread has almost
> universally been consistent with the people who have said phishing isn't
> for the CAs :)

Good, I guess I simplified that to the point of not being correct anymore then. 
Just read "incidental effects of compromise" where I said phishing. It doesn't 
change what I'm saying all that much. After all LetsEncrypt can also be abused 
for this when a site has been compromised. ;-)

> > I like it this way. Thats why I'm paying Comodo for their services. If you
> > are going to make this kind of thing impossible then you are:
> Who do you believe "you guys" are?

Well anybody in here in favour of doing away with wildcard certificates. It's a 
forum, anybody can join the discussion don't they? (Even though "some pigs may 
be more equal" in this context I expect. ;-)

> > 1) Frustrating me.
> >
> > 2) Causing Comodo to lose business, for I will have to use LetsEncrypt
> > instead.
> >
> > 3) Putting all my eggs in one basket (there is currently no alternative
> > for LetsEncrypt).
> >
> > 4) Not solving the problem at all, it's easy to get a certificate for a
> > phishing domain from LetsEncrypt.
> >
> > 5) Trying to do something that certificates are not meant for. I don't
> > think it is (or should be) the responsibility of CA's to verify that sites
> > are not used for phishing.
> I think almost everyone on this thread has expressed general agreement :)
> I think you may be confusing the phishing discussion (which was only
> brought up once or twice) with the general _capability_/_security_
> discussion, for which a wildcard certificate has unlimited capability (over
> a subdomain), and thus much greater risk, and the desire to balance that
> risk.
> The risk is not phishing. The risk is incidental effects of compromise.
> It's no different than a discussion of compromise of a technically
> constrained sub-CA (which is an 'ultra-wildcard') or of an unconstrained
> sub-CA/CA itself (which is a 'global-wildcard'). Each level has different
> risks, and we want to make sure they're all treated accordingly. Phishing
> has not been preeminent among that discussion of risks, and so if that's
> your takeaway, I would say the message on this thread has been fairly
> consistent in agreeing with you that certs don't solve phishing.

If this is about the possible consequences of compromise, then I'd say you 
should try to adres that. But please do come up with something that still 
allows for enough flexibility, so I can arrange the HTTPS everywhere you guys 
(browsers that is ;-) want so much. At least while there is only a single CA 
(LetsEncrypt) that offers an alternative for wildcards for a reasonable fixed 

After all the internet is also about variety isn't it? Seems to me there are 
not all that much CA's around... I do like the LetsEncrypt initiative but I 
also do hope they will not become the only choice. :-(

I could live with wildcards that would only work for one DNS level for 
instance. Would that be an improvement?

CU Hans
dev-security-policy mailing list

Reply via email to