- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 18 Jul 2012 19:12:04 +0200
- To: Zhong Yu <zhong.j.yu@gmail.com>
- Cc: "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 18 Jul 2012, at 19:01, Zhong Yu wrote: > On Tue, Jul 17, 2012 at 10:25 PM, Adrien W. de Croy <adrien@qbik.com> wrote: >> What about the other hundreds of millions of us running web servers. You >> gonna buy us our certs? > > Agreed. It's absolutely impractical to mandate officially signed certs > on every website. That's a huge hurdle for small sites; and all big > sites started from small sites. Unless of course you start Deploying IETF DANE, which could make the procurement of such certs a lot easier, since it just requires placing a public key in DNSsec. http://tools.ietf.org/wg/dane/ making it easy to install such certs could be the task of a WG. Then one could add other services to verify that these certificate are not tampered with. Henry > > --- > > Here's a related story that's very interesting. Self signed certs are > used by the official ticket booking site of Ministry of Railways of > China. Apparently they want to save a few bucks. > > Customers are asked to download and install an untrusted root cert > from its website. From average user's point of view, that makes sense > - if you do more work, that got to increase security, right? Almost > everybody in China take trains, this root cert must have been > installed widely. > > http://www.12306.cn > "To ensure a smooth booking experience, please download and install > the root certificate" > > http://www.12306.cn/mormhweb/kyfw/question/201204/t20120427_2115.html > FAQ > Security Alert > When a user tries to log in, often he/she will see IE security > warnings ... That's because the user has not imported the root > certificate shown on the home page ... To navigate the site smoothly, > simply follow the instructions and import the root certificate. > > the root cert and instructions: > http://www.12306.cn/mormhweb/ggxxfw/wbyyzj/201106/srca12306.zip > > a cert signed by the root cert > https://dynamic.12306.cn > Social Web Architect http://bblfish.net/
Received on Wednesday, 18 July 2012 17:12:46 UTC