[cabfpub] [cabfman] Ballot 92 - Certificate examples to aid discussions.

Ryan Hurst ryan.hurst at globalsign.com
Wed Nov 7 11:37:51 MST 2012


Ryan (Sleevi),

 

> So then the argument here is that this is a UI issue, and has been
mentioned elsewhere by several browsers, I don't believe

>  there is present interest in discussing mandatory UI behaviours, which
this proposal feels like a direct run-around to. While

> I'm sure I can speak for all browser vendors when I say that user security
is at the forefront of our concerns, I don't believe

> this is the best way to spark those discussions by proposing to forbid
some forms of DV simply because you disagree with

> the UI afforded to DV.

 

The issue is not so much about the UI, the UI (though I am sure we all agree
it could be improved) but about what the binding in the certificate says.

 

Fundamentally a certificate is a binding of a key to an identity, the
presumption of which is that the holder of the key is the named entity.
Certificates where there is no discernible binding to the entity that holds
the key provide relying parties no way to tell who can see the data
in-flight which is in the case of SSL the reason the certificates are used.

 

This is the problem trying to be addressed here.

 

> Again, and has been repeatedly mentioned, if Mallory, the recipient of
such certificates, possesses three certificates - one 

> for www.bankofamerica.com, one for www.bobsbits.com, and one for both -
then she is fully capable of decrypting all traffic.

> Requiring that Mallory be issued two distinct certificates has no
practical or marginal security benefits over issuing Mallory a

> single certificate. The only reason to mention that Mallory can
see/decrypt all information is to suggest that with two DV

> certs she somehow cannot - eg: that there are security benefits - and it
has been shown that it does not.

 

True but in this case a relying party knows that this is the case and that
is an important difference.

 

> If you believe there are situations where Bank of America (or any other
organization, big or small) may not be aware that 

> certificates have been issued for domains under their control, please let
the browsers know so that they can respond

> appropriately.

 

Of  course, this is not the problem trying to be addressed this is about the
relying party not the subscriber.

 

Ryan (Hurst)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20121107/36fc81d1/attachment.html 


More information about the Public mailing list