On Fri, 2015-05-29 at 22:21 +1000, Riley Baird wrote:
> > LetsEncrypt will save us!
>
> I just looked that up. What a wonderful idea!
I don't know how you missed it. My tongue has been hanging out for a
year now. Finally, sanity prevails.
A https cert is supposed to certify www.someone.com is the person who
controls the servers managing www.someone.com. Traditionally, the
certifiers have relied on business names, trademarks, directors names -
all sorts of things that have one thing in common - they don't actually
prove you control www.someone.com. The more things unrelated to whether
you controlled www.someone.com they asked you to prove, the more they
charged for the certificate. If you wanted an example of marketing
triumphing over engineering, the CA system is it.
LetsEncrypt is a pure embodiment of the "you control it you own it"
principle.
They could do better. A lot better. For example they could insist you
control www.someone.com for a while - say repeatedly confirm over a
month. This would thwart the guy who took over www.hotmail.com for a
while [0]. And they could allow people to register an interest in
someon.com or someon.co, so if someone registered a cert with it they
would know.
Regardless, when LetsEncrypt works we will have made a step forward.
[0] http://news.cnet.com/Good-Samaritan-squashes-Hotmail-lapse/2100-1023_3-234907.html
Fortunately for Microsoft it was a Linux nutter. When he couldn't
access his hotmail account he diagnosed it, registered the domain,
and then gave it back to Microsoft.
Attachment:
signature.asc
Description: This is a digitally signed message part