Re: bozoproofing the net, was The Value of Reputation

["John R Levine" <johnl at iecc.com>]

>     John> Here's a concrete suggestion: it is clear that the bad uses
>     John> of DKIM people have mentioned are a subset of the bad uses
>     John> of STARTTLS.
>
> That's not clear to me.
> I'd never really considered the question though so it may well be true.

If walled gardens are the problem or the goal, STARTTLS is a swell way to
do it.

>     John> And the TLS world is dominated by a single signer whose
>     John> signing policies are opaque.
>
> Really?  Are you sure the TLS world is not dominated by users clicking
> OK trust this cert for anything they see, combined with a lot of self
> signed certs and certs from a variety of CAs?

The CAs that people use in web SSL are overwhelmingly signed by Verisign
or its subsidiaries like Thawte.  Geotrust is a distant second.

I honestly don't know what signers people use for STARTTLS but since
everyone uses the same small set of TLS libraries, my working assumption
is that they use the same small set of authorities, too.

>     John> So how about if we simply reuse the warning language about
>     John> STARTTLS from RFC 3207?
>
> What warning language?  I can't find anything related to this problem.
> I may not be looking carefully enough.

There isn't any.  That's my point.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf