-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/13/2015 10:02 AM, Ville Määttä wrote: > On 13.03.15 15:27, Werner Koch wrote: >> The more expensive CAs are only selling you a fashionable background >> color for your the client's address bar. > > Essentially, that's it :). > > There are however clearly defined hard requirements to the Extended > Validation, aka "green bar" level. That is, more involved validation of > the organization and the person requesting the certificate. But those EV > certs can be had for cheaper than hundreds of dollars per year. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users >
This topic brought to mind some interesting proposed RFCs that could essentially eliminate the need for centralized certificate authorities. Just wanted to get some opinions on the topics since its related to certificate issues and the slavery of security to an external authority. The combination of DNSSEC[1] and DANE[2] authentication can essentially make a self-signed certificate as legitimate as one signed by an "official" CA (if I'm not mistaken). There were some security implications IIRC, but not being a professional on the subject, I'm not sure what they were. I started implementing them on my own website and I am very interested in seeing these proposals become official standards. I'm also interested on anyone else's thoughts who might have more insight into the downsides or repercussions of relying strictly on such a system (if external CA's no longer existed, for example). [1]https://tools.ietf.org/html/rfc4035 [2]https://tools.ietf.org/html/rfc6698 - -- Antony Prince Key ID: 0x4F040744 Fingerprint: FE96 5B7F A708 18D3 B74B 959F A6E1 6242 4F04 0744 URL: https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xA6E162424F040744 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVAzkuAAoJEKbhYkJPBAdEYQkIAJtCFlUcXZP7jFBD8Ken4wvK 62TOFcwR8S8No0xmeFgCevwCzkB9B+wzFkI6mX1MvXIMZyhHUNstVqKw9Lq2lOj/ DTdyiV6L/XiZ9GpQd/2Ekd6GhwPGD4aoyenzrPsx1O0Ox5Wqc8cdG52qSiyaiQmT jCHy2A4TED087jtfzR7sBbHmHUatNQD5hYzAmK9ZJocfzUMrZO7hzhRfwA2lzLon UQdER3G+ob8L5/TpG/4Q3JoHCyECis3fws0HgUYobZz76zcQILod2nXTwlaEYFws 4Byz+iN7UEUWW+bFsDdOhHcZ2qP/sEbDKn9D1UKG+Y7xpIb9hHZinhlDPKg65Dk= =wVE0 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
