[cabfpub] Difference between CA issued DV and DANE certs
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Oct 19 21:23:01 UTC 2012
On 10/19/2012 04:46 AM, From Jeremy Rowley:
> 3) As has been pointed out thoroughly in a variety of forums, including most
> notably the revocation working group, that in practice, revocation as
> implemented today by Every Major Browser is not a security mechanism.
>
> [JR] This is primarily a result of browsers refusing to use the information
> provided, not the CAs providing the information.
I think we should consider this a bit differently - revocation works to
the extend to make a certificate unusable for broad (bad) purpose and
commercially uninteresting.
It doesn't work for very specific situations where a considerable effort
must be invested and certain control of the networks in questions is a
must. This could be a state actor for example.
But all the naysayers of revocation mechanisms should carefully point
out when and for which specific situations it doesn't work and where it
does work. I think the claim in this respect is execrated.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121019/fe708a11/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121019/fe708a11/attachment-0002.p7s>
More information about the Public
mailing list