I wonder if DANE could have prevented Microsoft's recent difficulty with expired SSL certs. https://www.google.com/search?tbm=nws&as_q=microsoft+azure+ssl Instead of an annual bout with internal purchase order and invoice red tape and with red tape at the CA, could Microsoft have automated the generation of certs and fingerprint TLSA RRs just as many automate their generation of zone signing RRSIG RRs? (Never mind that microsoft.com lacks RRSIG RRs.)
... > From: Doug Barton <do...@dougbarton.us> > Are there CA vendors who give out EV certificates for "$fee + answer the > e-mail"? I know you can get "basic" SSL certs simply by answering the > e-mail from the CA. I can't find anything about EV verification from registrars. Maybe I'm blind and stupid, or maybe writing down what they actually do would be too funny. I suspect you might need to submit a government registration document and answer a press-1-if-you're-human robo phone call. You won't forge the registration document, because the real things are so cheap, easy, and unverified. It's obvious nothing that I put in the online form other to get http://www.sos.state.co.us/biz/BuildCertificate.do?masterFileId=20051118531 was verified other than the credit card number for the $1.00 charge. (You might need to 'get' that URL twice.) See also http://www.sos.state.co.us/pubs/info_center/fees/business.html I've had DBA registrations in other states, and found them just as unimpressive. How would you interpret section 5 of https://www.cabforum.org/EV_Certificate_Guidelines.pdf to sell me a $1500 EV cert? https://www.symantec.com/theme.jsp?themeid=compare-ssl-certificates You couldn't afford to have someone to drive past my address to see if it's a vacant lot, not to mention ask my neighbors if they've seen anything shady or even ever seen me. If you want to sell certs to small businesses, then you cannot charge enough to do any checking. > Not that "look for the green bar" is going to be a whole lot more > successful than "Don't say yes to security exceptions you don't > understand," but I'm curious. :) Yes, EV certs are expensive tickets for slapstick security theater. Standards certs and the "mailboxes" (not SMTP but only for use after you log into your GoDaddy account), theft protection, scanning, and other hookum that GoDaddy sells are cheap seats. (Your recent claim that all registrars up-sell the same junk as GoDaddy is wrong. I'm trust that all of the registrars you've seen are as you said and like GoDaddy, but I've seen nothing like GoDaddy. That might be because I don't look at registrars that I've heard bad things about or that advertise prices below what I know of their costs (e.g. registry fees). I know they'll more than make up their losses in ways I'm too dumb to catch.) Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
