IETF Logo Mail Archive

Re: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication

Carl Wallace <carl@redhoundsoftware.com> Mon, 12 December 2011 13:36 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E0D21F8AF4 for <pkix@ietfa.amsl.com>; Mon, 12 Dec 2011 05:36:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvaQL+VCkMbd for <pkix@ietfa.amsl.com>; Mon, 12 Dec 2011 05:36:29 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 406A821F8AF3 for <pkix@ietf.org>; Mon, 12 Dec 2011 05:36:29 -0800 (PST)
Received: by qadb15 with SMTP id b15so2851479qad.10 for <pkix@ietf.org>; Mon, 12 Dec 2011 05:36:27 -0800 (PST)
Received: by 10.224.105.11 with SMTP id r11mr17063131qao.68.1323696987596; Mon, 12 Dec 2011 05:36:27 -0800 (PST)
Received: from [192.168.1.5] (pool-173-79-170-49.washdc.fios.verizon.net. [173.79.170.49]) by mx.google.com with ESMTPS id ft9sm1837000qab.20.2011.12.12.05.36.22 (version=SSLv3 cipher=OTHER); Mon, 12 Dec 2011 05:36:26 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.13.0.110805
Date: Mon, 12 Dec 2011 08:36:20 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: "Miller, Timothy J." <tmiller@mitre.org>, Adam Langley <agl@google.com>
Message-ID: <CB0B6A77.F4D3%carl@redhoundsoftware.com>
Thread-Topic: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication
In-Reply-To: <CB0B5640.2EE1%tmiller@mitre.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: IETF PKIX WG <pkix@ietf.org>, Ben Laurie <ben@links.org>
Subject: Re: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 13:36:30 -0000

>
>That's not quite what I was asking.  How does the browser know that the
>list of notaries provided with the proof are the "correct" notaries for
>the site?  

This sort of gets at a different question.  Why does a browser need to
always operate with a broad trust posture?  Folks know when they are
banking and could easily indicate that intent to the browser, without
needing to have the ability to authenticate their favorite shoe shop,
doctor, etc. during that session.  This selection could be implemented as
a selection of notary (or a temporary reduction of the TA store, or a
temporary usage of name constraints, etc.).

v2.23.0 | Report a Bug | By Email