W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 20 Nov 2013 00:24:53 +0000
To: "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <emb2c2f784-7af7-4d32-9cf3-01aa25ec79e8@bodybag>
still not free.  Seems like a bunch of work there.

Certs can therefore no longer be used to provide identity.  Only 
presumably verify admin control over a domain.

But also makes it even easier (at least for us) to MITM, since we are 
also the DNS server for the client, we can alter such records, and then 
we wouldn't even need to deploy a signing cert.

Adrien


------ Original Message ------
From: "Amos Jeffries" <squid3@treenet.co.nz>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 20/11/2013 12:19:46 p.m.
Subject: Re: A proposal
>On 2013-11-20 11:15, Adrien de Croy wrote:
>>even if a cert is $0 it is not zero cost.
>>
>>Time and effort are not free.
>>
>>All these options involve an ongoing management/maintenance cost as 
>>well
>>
>>And are we really proposing the internet should be built on certs from
>>free cert providers? How will they stay in business or the certs
>>remain free once the demand for free certs is multiplied by several
>>orders of magnitude?
>
>DANE.
>
>* generate your own CA certificate.
>* have your DNS provider sign it as part of your DNSSEC signed zone 
>records
>* profit
>
>
>Payment (of lack of it) will be part of your contractual agreement with 
>DNS provider and avoids the CA authority mess currently blighting trust 
>in TLS.
>
>
>Amos
>
>
Received on Wednesday, 20 November 2013 00:24:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC