<div dir="ltr">There are clearly 2 purposes to certificates and SSL that essentially are at cross-purposes.<div><br></div><div>1) encrypt traffic in transit.</div><div>2) certify the identity of the other end.</div><div><br></div><div>Both boil down to trust.</div><div><br></div><div>The certificate that encrypts traffic still needs to have a trusted third party to verify the certificate to prevent man-in-the-middle style attacks.</div><div><br></div><div>How can you build trust in the certificate provider? I'm pretty sure both for-profit and under resourced and free aren't working. This looks like privately resourced and free. The next option would be not-for-profit and not-free - i.e. an actual at-cost basis providing some "pain" to prevent noise. I'm especially interested in the bit-coin-DNS-trust-chain-like approach[citation needed]</div><div><br></div><div><a href="https://en.bitcoin.it/wiki/Alternative_chain">https://en.bitcoin.it/wiki/Alternative_chain</a><br></div><div><br></div><div><br></div><div>Correctly identifying someone on the internet is almost the definition of a joke.</div><div><br></div><div>Certificates don't actually identify people. They identify a DNS name and or IP address. The transport is trusted to the DNS.</div><div><br></div><div>If you can't verify the DNS name holder, how can you identify the DNS entry corresponds to the requestor of the certificate for that domain?</div><div><br></div><div>worse case, automatic certificate generation for a DNS entry - you're no worse off.</div><div><br></div><div><br></div><div>the real problem isn't technical or regulatory... it's legal... DNS is an extension of copyright...</div><div><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 19, 2014 at 2:31 PM, Matt Palmer <span dir="ltr"><<a href="mailto:mpalmer@hezmatt.org" target="_blank">mpalmer@hezmatt.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Nov 19, 2014 at 12:18:42PM +1100, Jeremy Visser wrote:<br>
> On 19/11/14 10:34, Ernie wrote:<br>
> > It's going to be a non-profit organization that issues free<br>
> > certificates for any website.<br>
> ><br>
> > My question is, will this screw up companies like Verisign/Thawte<br>
> > sales?<br>
><br>
> Given that StartSSL have been around for years, and do exactly that: no.<br>
<br>
</span>No, they don't do "exactly that". StartSSL's free tier is *explicitly* only<br>
for personal use, and yes, they *do* check. Let's Encrypt appears to be<br>
ambivalent around the use that a certificate is put to, other than "it is<br>
used to secure traffic to your site".<br>
<span class="HOEnZb"><font color="#888888"><br>
- Matt<br>
<br>
--<br>
You have a 16-bit quantity, but 5 bits of it are here and 2 bits of it are<br>
there... and 2 bits of it are back here and 3 bits of it are up there. The<br>
C code to extract useful data had so many >> and << operators in it that it<br>
looked like the C++ version of "hello world". -- Matt Roberds, ASR<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Dr Paul van den Bergen<br><br></div>
</div>