Re: [TLS] Straw poll on TLS SRP status

To: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Subject: Re: [TLS] Straw poll on TLS SRP status
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 5 Jun 2007 11:34:21 +0300
Cc: tjw at CS.Stanford.EDU, tls at ietf.org
In-reply-to: <E1HvULi-000181-00@medusa01.cs.auckland.ac.nz>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <E1HvULi-000181-00@medusa01.cs.auckland.ac.nz>

It works well enough that the browsers have it now (at least IE), and also IKE implementations from several vendors including Microsoft.

When and if the likes of Verisign start issuing them remains to be seen, as well as when the rather ubiquitous Microsoft CA will begin to issue such certs.

On Jun 5, 2007, at 11:25 AM, Peter Gutmann wrote:

Yoav Nir <ynir at checkpoint.com> writes:
In TLS it works pretty well, because usually a website gets a cert from someone on Explorer's list, so as long as they get a license, everyone is fine.
According to a SecuritySpace survey from a few years ago (discussed in Simson Garfinkel's thesis), 58% of all SSL server certs in use today are invalid for some reason (unknown CA, self-signed, expired, whatever). "Not issued by a recognised CA" covers about 30% of all SSL server certs. There aren't any figures available for opportunistic-encryption facilities like STARTTLS et al, but I'd imagine it's closer to 100% there since opportunistic encryption more or less by definition doesn't care about officially-sanctioned crypto. So "issued by a recognised CA" only starts to address a small corner of the market.

In any case even if you do want to go with a recognised CA, how many recognised CAs will actually issue you an ECC cert? No matter how you look at it, the Certicom "license" doesn't work.
Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Straw poll on TLS SRP status
  - From: Peter Gutmann

References:
- Re: [TLS] Straw poll on TLS SRP status
  - From: Peter Gutmann

Prev by Date: Re: [TLS] Straw poll on TLS SRP status
Next by Date: Re: [TLS] Straw poll on TLS SRP status
Previous by thread: Re: [TLS] Straw poll on TLS SRP status
Next by thread: Re: [TLS] Straw poll on TLS SRP status
Index(es):
- Date
- Thread

Re: [TLS] Straw poll on TLS SRP status

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.