> On Nov 21, 2014, at 6:05 AM, Ted Lemon <[email protected]> wrote: > > On Nov 21, 2014, at 1:00 AM, Michael Richardson <[email protected]> wrote: >> Nobody said that unauthenticated TLS should show a "lock" > > Unfortunately I think more people notice "https://"; than the lock. Although > perhaps I think that because I am a geek who knows what https:// means, and > regular folk actually do look at the lock icon. In any case, I think that a > cert signed by this free CA does the job, because it is not a self-signed > cert: there would presumably be an independent verification step, even if > that step is only to show that the person getting the cert actually has > control over the domain.
Thats actually the genius portion of the scheme: its a DV cert because the default flow has the certificate management program receives a request from the CA to put a token on the web site in question which the CA can then verify, so it allows fully automated proof of control for the site. If anything, its arguably better than many CAs Domain Verification process. > Of course, if that is the test that is used, this sort of cert is no better > than a DANE cert. I guess the one advantage is that it doesn't require > DNSSEC. Given that, because this will be cross signed (agreements are already in place) as well as an accepted root, this will be accepted by effectively all browsers, while ~1% of systems measured can not get DNSSEC information period. Overall, this is a really clever scheme, with really smart people behind it. I expect a smashing success, and the only thing IMO they should do in addition is try for low friction payment as well, so that those who WOULD want to pay (couched in terms of "2 lattes" or something like that) can easily put in their credit card #. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
