Re: [TLS] Straw poll on TLS SRP status

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Yoav Nir <ynir at checkpoint.com> writes:

>In TLS it works pretty well, because usually a website gets a cert from
>someone on Explorer's list, so as long as they get a license, everyone is
>fine.

According to a SecuritySpace survey from a few years ago (discussed in Simson
Garfinkel's thesis), 58% of all SSL server certs in use today are invalid for
some reason (unknown CA, self-signed, expired, whatever).  "Not issued by a
recognised CA" covers about 30% of all SSL server certs.  There aren't any
figures available for opportunistic-encryption facilities like STARTTLS et al,
but I'd imagine it's closer to 100% there since opportunistic encryption more
or less by definition doesn't care about officially-sanctioned crypto.  So
"issued by a recognised CA" only starts to address a small corner of the
market.

In any case even if you do want to go with a recognised CA, how many
recognised CAs will actually issue you an ECC cert?  No matter how you look at
it, the Certicom "license" doesn't work.

Peter.


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls