On 07/28/2017 02:10 AM, Vittorio Bertola wrote:
On the Web, instead, users do want to know which company is actually running the website that they are visiting, and not just that they are really connecting to that hostname, so CAs offer additional value in respect to DANE.
Full STOP! I disagree that CAs can offer what I think you are ascribing to them.I agree that end users probably do want to believe that paypal.com is truly PayPal. I also agree that the CA ecosystem that we have does in fact do that. I.e. Extended Validation certificates.
<Insert note about common lack of differentiation between DV / OV / EV certs.>
I do not believe that our current CA ecosystem prevents a different entity (in a different language / culture / etc) from running a site as PaypALL.com, having fully validated themselves as a legitimate business entity.
Sadly, these two domain names, paypal.com and paypall.com, are effectively homonyms of each other, and can be relatively easily be confused by end users.
Think of this like the two different businesses below: AirPower (Engines) 10 Example Drive New York NY AirPower (Paint Sprayers) 10 Example Street New York NYI feel like there is extreme potential for confusion of "street" vs "drive" and that packages will inevitably go to the wrong business.
Which business has more authority to claim the name / address? What if the businesses owners are from different cultures / languages / etc?Can anyone really say with any authority that either of them should not be allowed to use the name / address / URL?
I am firmly of the opinion that the existing CA ecosystem can say that each business is indeed who they claim to be, at they address they sate. - However this does not extend to saying that they are NOT elsewhere.
I believe that humans want this, but that this can not be done the way things are done today.
(This also screams of some of the ongoing discussions with Let's Encrypt offering DV certificates, which only validate the hostname that you're connecting to, not who runs them.)
I feel like we are evolving into a new era where we are no longer satisfied with just saying that something is encrypted ~> secure. We now want new information that speaks to "who" something is and is not. This is a new question that we need to answer, and the industry will need to adjust, or educate end users.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
