[Nottingham] New CA on the block?

[Mike Cardwell]

* on the Wed, Nov 19, 2014 at 08:49:07AM +0000, Jason Irwin wrote:

> Have folks heard of this?
> https://www.letsencrypt.org/

Yes. Looks very good. Unless you work for an existing CA.

> El Reg:
> http://www.theregister.co.uk/2014/11/18/lets_encrypt_free_digi_certs/
> Non-El Reg:
> https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
> 
> Enough to restore some faith in the CA system

Not sure about that. If anything, every time you add a new CA, all you're doing
is making it so that there are more organisations who can potentially be
compromised or coerced into signing a certificate which they shouldn't.

> or do things like these remain the way forward:
> http://convergence.io/
> http://perspectives-project.org/

I'm not convinced these systems would work at scale. I.e, if every browser had
it built in. I don't think there would be enough notaries to make it work.
Unless an organisation like Google came along and hosted them. But then you lose
the variety, and the "trust agility" with it.

Certificate transparency is an interesting idea:
http://www.certificate-transparency.org/

Also, HTTP Public Key Pinning:
https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/

I think some combination of traditional CA, DANE, certificate transparency and
key pinning is the way forward. They can all work side by side. The difficulty
is in making it easy to set up and maintain these features. One mistake and all
of a sudden nobody can access your website any more.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20141119/c16920f9/attachment.pgp>