W dniu 03.01.2018 o 17:31, Eric Rescorla pisze: > > > On Wed, Jan 3, 2018 at 8:17 AM, Mateusz Jończyk <[email protected] > <mailto:[email protected]>> wrote: > > W dniu 03.01.2018 o 16:28, Eric Rescorla pisze: > > Well, this seems like the first arm, in which you change the browser, > so the > > question > > then becomes whether the browsers wish to do so. Are you aware of any > > browser vendor which is interested? > > I'm not exactly sure what You understand by "the first arm". > Of course it would have to be implemented in browsers, by me or somebody > else. > Microsoft may wish to deploy this in their Forefront TMG, so browser > support in > Internet Explorer / Edge would follow. > > My question is whether any browser has indicated interest in doing so. No, I didn't contact any browser vendors.
If an AlertDescription will be allocated, they will have to implement this at least halfway - display some warning to the user, without necessarily contacting access_administratively_disabled.net at all. > DNS already handles a large number of such entities and it somehow works > and is > practical. Having a subdomain of access_administratively_disabled.net > <http://access_administratively_disabled.net> registered > would be expensive because a physical validation would have to be > followed - it > would probably be no less expensive than EV certificates currently are. > > > It's not a matter of scaling. It's a matter of having this many certificates > that can > all generate an acceptable message undermines the value of the signature > because you now have a distributed single point of failure. Just like CAs. I don't think that there will be more access_administratively_disabled.net subdomains than there are CAs currently. After all, the failure won't be very catastrophic: it will only enable someone who already is able to intercept all traffic to slightly phish the users. If some key will leak publicly, it will be simply revoked. Greetings, Mateusz > > -Ekr > _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
