- From: Adrien W. de Croy <adrien@qbik.com>
- Date: Mon, 26 Mar 2012 10:15:12 +0000
- To: "Peter Saint-Andre" <stpeter@stpeter.im>
- Cc: "Mike Belshe" <mike@belshe.com>, "Roy T. Fielding" <fielding@gbiv.com>, "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
------ Original Message ------ From: "Peter Saint-Andre" <stpeter@stpeter.im> >On 3/26/12 11:22 AM, Adrien W. de Croy wrote: > >> >>------ Original Message ------ From: "Peter Saint-Andre" >> >> >>>>>> >>>>>> >>>>>>From a practical point of view, there aren't a lot of >>>>>>alternatives to SSL on the table right now. Most people do >>>>>>agree that SSL does a reasonable job of preventing >>>>>>eavesdropping. >>>>>> >>>>>> >>>>> >>>>> >>>>>I can see a lot of resistance from customers told they now >>>>>need to buy and maintain a certificate from a CA just to run >>>>>a webserver. >>>>> >>>>>Sure they can run a self-signed cert, but that doesn't fulfil >>>>>the goal of giving the user security. >>>>> >>>>> >> >>Could we cut the FUD about needing to pay for certs? There are >>indeed providers of free certificates (I won't mention names for >>fear of being tarred with a marketing brush). >> >> >> >>> >>>providers of free certs who >>> >>> >>>a) verify the identity of the entity they issue the certificate >>>to b) have a root cert that's sufficiently well deployed and >>>trusted to be usable >>> >>> >>>? I'd be keen to know more. >>> >>> >>>if not a (which is incompatible with free) then is it really >>>security? >>> > > >You can check the cert at the URL in my sig. > Ok thanks. In the end though, even if the certificate itself isn't charged for, there's still a cost involved in obtaining and installing it. Generating a signing request etc, importing the certificate and managing the private key. These add a significant requirement to many HTTP server deployment scenarios, not the least in terms of level of knowledge of the person doing it. >> >>And SSL/TLS is not *necessarily* tied to PKI, either. >> >> >> >>> >>>OK. so no private key? Just some shared secret then? >>> > > >See for example the DANE WG: > >http://tools.ietf.org/html/draft-ietf-dane-protocol > thanks again! Adrien > > >Peter > >- -- >Peter Saint-Andre >https://stpeter.im/ >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.8 (Darwin) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iEYEARECAAYFAk9wPSwACgkQNL8k5A2w/vwUXwCgkMGTKxKbRqiK8mBJi9izlkzi >djQAoLXQzTsvRCVRq1CJTqpfiVQRUoHM >=LE6/ >-----END PGP SIGNATURE----- > > >
Received on Monday, 26 March 2012 10:15:50 UTC