Mike,
On Sun, Sep 11, 2011 at 8:44 PM, Mike Jones m...@mikejones.in wrote:
It will take a while to get updated browsers rolled out to enough
users for it do be practical to start using DNS based self-signed
certificated instead of CA-Signed certificates, so why don't any
browsers have support
-Original Message-
From: Gregory Edigarov [mailto:g...@bestnet.kharkov.ua]
I.e. instead of a set of trusted CAs there will be one distributed net
of servers, that act as a cert storage?
I do not see how that could help...
Well, I do not even see how can one trust any certificate
On Sep 11, 2011, at 11:06 PM, Hughes, Scott GRE-MG wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers and phishing schemes. Even EV certificates don't help when consumers
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have somebody who is not
Randy Bush wrote:
But Gregory is right, you cannot really trust anybody completely. Even
the larger and more respectable commercial organisations will be
unable to resist insert intel organisation here when they ask for
dodgy certs so they can intercept something..
No, as soon as you have
with dane, i trust whoever runs dns for citibank to identify the cert
for citibank. this seems much more reasonable than other approaches,
though i admit to not having dived deeply into them all.
If the root DNS keys were compromised in an all DNS rooted world...
unhappiness would ensue in
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up complexity too and makes you wonder
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote:
And how long would it be before browsers allowed
self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
As previously mentioned, Chrome = v14 already does.
Regards,
Martin
Martin Millnert wrote:
On Mon, Sep 12, 2011 at 5:09 PM, Michael Thomas m...@mtcc.com wrote:
And how long would it be before browsers allowed
self-signed-but-ok'ed-using-dnssec-protected-cert-hashes?
As previously mentioned, Chrome = v14 already does.
The perils of coming in late in a
On 13/09/11 01:12, Randy Bush wrote:
as eliot pointed out, to defeat dane as currently written, you would
have to compromise dnssec at the same time as you compromised the CA at
the same time as you ran the mitm. i.e. it _adds_ dnssec assurance to
CA trust.
Yes, I saw that. It also drives up
Mike Jones m...@mikejones.in wrote:
DNSSEC deployment is advanced enough now to do that automatically at the
client.
Sadly not quite. DNSSEC does have the potential to provide an alternative
public key infrastructure, and I'm keen to see that happen. But although
it works well between
On 11 September 2011 16:55, Bjørn Mork bj...@mork.no wrote:
You can rewrite that: Trust is the CA business. Trust has a price. If
the CA is not trusted, the price increases.
Yes, they may end up out of business because of that price jump, but you
should not neglect the fact that trust is
There's an app^W^Wa Working Group for that.
http://tools.ietf.org/wg/dane/
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones m...@mikejones.in wrote:
On 11 September 2011 16:55, Bjørn Mork bj...@mork.no wrote:
You can rewrite that: Trust is the CA business. Trust has a price. If
the CA is not
I'm pretty fond of the idea proposed by gpgAuth.One key to rule them
all (and one password) combined with the client verifying the
server.It's still in its infancy, but it works.
-A
(Full disclosure: I work with the creator of gpgAuth in our day jobs)
On Sun, Sep 11, 2011 at 11:47, Richard Barnes
https://bugzilla.mozilla.org/show_bug.cgi?id=647959
--- SNIP ---
This is a request to add the CA root certificate for Honest Achmed's
Used Cars and Certificates. The requested information as per the CA
information checklist is as follows:
1. Name
Honest Achmed's Used Cars and Certificates
2.
On Sun, 11 Sep 2011 15:20:51 PDT, Aaron C. de Bruyn said:
I'm pretty fond of the idea proposed by gpgAuth.One key to rule them
all (and one password) combined with the client verifying the
server.It's still in its infancy, but it works.
Yes, but it needs to be something that either (a) Joe
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones m...@mikejones.in wrote:
EV certificates have a
different status and probably still need the CA model
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
-chris
(I've never seen the value in
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end user.
They see a green address bar with the company's name displayed.
On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess mysi...@gmail.com wrote:
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end
On Sep 11, 2011, at 9:44 PM, Christopher Morrow morrowc.li...@gmail.com
wrote:
On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess mysi...@gmail.com wrote:
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
what's the real benefit of an EV cert? (to the service
On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG
shug...@grenergy.com wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers and phishing schemes. Even EV certificates don't
On 9/11/11 11:28 PM, Christopher Morrow wrote:
On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG
shug...@grenergy.com wrote:
Companies that wrap their services with generic domain names (paymybills.com
and the like) have no one to blame but themselves when they are targeted by
scammers
22 matches
Mail list logo