W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2006

Re: Browser security warning

From: Stuart E. Schechter <ses@ll.mit.edu>
Date: Wed, 27 Dec 2006 16:47:47 -0500
To: Mike Beltzner <beltzner@mozilla.com>
CC: <public-wsc-wg@w3.org>
Message-ID: <C1B85433.C330%ses@ll.mit.edu>

> There's another use case that isn't really captured here, due to the
> limitations of the commercial CA structure. For example, if I own the
> foo.com, and am not planning on using it for public purposes but want
> an SSL channel for various services like ftp.foo.com and www.foo.com
> and mail.foo.com and webdav.foo.com, I might want a *.foo.com
> certificate. That's far more expensive to purchase (note: expensive
> enough to be a reason why a lot of banks don't SSLify their front
> pages) and so I might just not bother since I can make my own.

   Yes.  $79 for a cheap one.

> SSL was never, AIUI, intended to be a "you must pay to play"
> situation. I think you're being a little unfair in use cases (2), (3)
> and (4) with your wording, and as someone else pointed out, leaning
> heavily towards commercial CAs as being the only solution.

   I absolutely don't think commercial CAs are the only viable solution.  If
I bought my domain name for $10/year, I'm not terribly keen on paying again
for the cryptographic receipt that says I own it.

   IETF RFC 4398 provide a mechanism with which to use DNSSEC to
authenticate a site certificate using DNSSEC.  No commercial CA needed.
Received on Wednesday, 27 December 2006 21:47:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:44 GMT