On Sat, Jan 3, 2009 at 4:39 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div><p><span class="Apple-style-span" style="font-size: 11px; ">In UCI, the user (all 6 billion of us) decide which OP is good, which CA is good - not Microsoft business analysts.</span></p>
</div></div></blockquote><div>Peter,</div><div>Microsoft leaves all 6 billion of us to choose which CAs are good. Every Windows OS admin has the freedom to manipulate the list of trusted CAs. But as with any UCI design, that means that each of those 6B people may have a unique set, and you'll never know for sure whether you cert is signed by a CA that a random one of those 6B choose to trust.</div>
<div><br></div><div>I'm not sure how we got off on EV certs. You absolutely don't need EV certs to make sure that some random RP will definitely accept the cert. There are several CAs out there that 99.9% of the browsers and RPs out there trust and they're often quite inexpensive. What problem am I missing?</div>
<div> </div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sat, Jan 3, 2009 at 4:39 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size:8.0pt">"CAs
who fail to meet the burden of proof for the broad business value of their
offering to Microsoft customers."</span></p>
<p><span style="font-size:8.0pt"> </span></p>
<p><span style="font-size:8.0pt">The
program listed fails UCI test.</span></p>
<p><span style="font-size:8.0pt"> </span></p>
<p><span style="font-size:8.0pt">In
UCI, the user (all 6 billion of us) decide which OP is good, which CA is good -
not Microsoft business analysts.</span></p>
<p><span style="font-size:8.0pt"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:10.0pt;color:windowtext">From:</span></b><span style="font-size:10.0pt;color:windowtext"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Jorgen Thelin<br>
<b>Sent:</b> Friday, January 02, 2009 7:13 PM<br>
<b>To:</b> Eddy Nigg (StartCom Ltd.); <a href="mailto:general@openid.net" target="_blank">general@openid.net</a> >>
"<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>"<div><div></div><div class="Wj3C7c"><br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)</div></div></span></p>
</div>
</div><div><div></div><div class="Wj3C7c">
<p> </p>
<p><span style="font-size:11.0pt;color:#1F497D">While considering these issues, you guys may be interested to
see the details of the Microsoft Root Certificate Program.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p style="text-indent:.5in"><span style="font-size:11.0pt;color:#1F497D"><a href="http://technet.microsoft.com/en-us/library/cc751157.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc751157.aspx</a></span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">The Microsoft Root Program lists the details and requirements
for the Microsoft Root Certificate Program.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">The MS Root Program attempts to establish a minimum baseline for
PKI-based security -- to at least warn Windows / IE users before that make some
obviously bad decisions around SSL trust – such as warning users before they
access sites that use certificates with known weak hash algorithms.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">You can see the technical requirements for CAs in the above
document that are used by any browsers running on Windows.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> "Identity is easy, but Trust is hard!"</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:10.0pt;color:windowtext">From:</span></b><span style="font-size:10.0pt;color:windowtext"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Friday, January 02, 2009 2:01 PM<br>
<b>To:</b> <a href="mailto:general@openid.net" target="_blank">general@openid.net</a> >> "<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>"<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)</span></p>
</div>
</div>
<p> </p>
<p>On 01/02/2009 10:45 PM, Martin Paljak: </p>
<p style="margin-bottom:12.0pt">On 02.01.2009, at 15:16, Eddy
Nigg (StartCom Ltd.) wrote:</p>
<p>Martin, failures and disclosing them serves the purpose to
improve and prevent them. I'm responsible for disclosing one of the listed
above, which however doesn't mean that public certification is a total failure.
It speaks rather for the dedication and also the ability of the industry to
control and improve itself. </p>
<p style="margin-bottom:12.0pt">Of course disclosure is good.
But as you have interests in one CA I have to take your opinion as probably
biased ;) </p>
<p style="margin-bottom:12.0pt"><br>
Right! And as such I have an interest that my work isn't de-valued by other
CAs. Such is the interest of many CAs and hence there is a real interest that
we (CAs) are able to upheld the promises we make as a collective. That's why
incidents such as I reported are extremely bad and must not happen. I'm active
in different forums out of my biased interest to make and keep PKI reliable.<br>
<br>
Disclaimer: Mistakes can happen, negligence must not however.<br>
<br>
</p>
<p><br>
"Nothing to see here, move along, EV fixes everything". Yes -
technically, within the boundaries set by the established CA business,
everything is OK and will be even better with EV. But I try to question the
existing, current approach of CA-s doing business under the name "trust
business". CA-s should deal with certification and users should be dealing
with trust issues and decisions. PKI as we know it now is not an implementation
I like as a (loud minority) user. </p>
<p style="margin-bottom:12.0pt"><br>
Well, the minority of the Netizens have the ability to make the decisions you
like them to make. I'm not sure about you, but how many CP/CPS of CAs have you
read recently before making a decision if to trust?<br>
<br>
</p>
<p style="margin-bottom:12.0pt">Good question. As "you can
do anything with OpenID" I believe it is left open - you can do whatever
if you want if you consider it useful. </p>
<p style="margin-bottom:12.0pt">Sure, that's why we are here,
aren't we? :-)</p>
<div>
<table border="0" cellspacing="0" cellpadding="0">
<tbody><tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p>Regards </p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p> </p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p>Signer: </p>
</td>
<td style="padding:0in 0in 0in 0in">
<p>Eddy Nigg, <a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p>Jabber: </p>
</td>
<td style="padding:0in 0in 0in 0in">
<p><a>startcom@startcom.org</a></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p>Blog: </p>
</td>
<td style="padding:0in 0in 0in 0in">
<p><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p>Phone: </p>
</td>
<td style="padding:0in 0in 0in 0in">
<p>+1.213.341.0390</p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p> </p>
</td>
</tr>
</tbody></table>
<p><span style="color:windowtext"> </span></p>
</div>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>