[cabfpub] [cabfman] Improving the security of EV Certificates

Hill, Brad bhill at paypal.com
Wed Dec 18 16:51:21 MST 2013 

From: Eddy Nigg (StartCom Ltd.) [mailto:eddy_nigg at startcom.org]

> I suggested that browser vendors nail the most important sites in their browser as "pins"
> and allow users to pin additional certificates to the respective sites.
…

There is no possible way that browsers can do this without explicit instructions from the sites involved.  Otherwise everything breaks when a site changes its certificate or adds a new one.  Thus, you need a (scalable) way to communicate that information to browsers for pinning.  Thus the HPKP draft at the IETF.  And all of the associated issues that have been explored over a period of years now by a wide-ranging group of technical experts.

Also, do you realize that you run a Certificate Authority?  And that the entire reason your business exists is that browsers don’t want to be in the business of manually binding keys to names and that users have no remotely plausible way to do that themselves?  If it were really that easy, you’d be out of a job.

-Brad

P.S.  This is the last reply I’m making on this thread to you Eddy.  We’ve had this same discussion over and over for months on different threads and you continue repeat the same wrongheaded criticisms that misunderstand CT, and the same debunked, impossible and inappropriate alternatives.   For months now you’ve said you don’t have time to read and understand the technical drafts, but you appear to have infinite time to send half-baked ideas to the list. The most charitable interpretation is that you’re just stalling and wasting everyone’s time.  Mine, no longer.


From: Eddy Nigg (StartCom Ltd.) [mailto:eddy_nigg at startcom.org]
Sent: Wednesday, December 18, 2013 3:24 PM
To: Hill, Brad
Cc: Ryan Sleevi; public at cabforum.org
Subject: Re: [cabfpub] [cabfman] Improving the security of EV Certificates


On 12/19/2013 12:46 AM, From Hill, Brad:
I guess nobody knows what you’re talking about, then.

If you mean that every individual end-user ought to manually associate certificates to website addresses in their browser(s) then naïve is not a strong enough word.


But this is exactly how Diginotar was detected however - basically a few emails back I suggested that browser vendors nail the most important sites in their browser as "pins" and allow users to pin additional certificates to the respective sites. It's a very simple and efficient way to get some protection and allows detection for the most important sites.

I assume it's the same thing Rick referred to a few emails back as well. It's something that can be implemented easily at the client software as Google has already shown and the interested folks that have some understanding can refine it for their use.

I'm sure I'm not alone who uses the word "pinning" or to "pin a certificate" for this.

Regards



Signer:

Eddy Nigg, COO/CTO



StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131218/118c6f3d/attachment-0001.html

More information about the Public mailing list