From: "Markus Stumpf" <maex-lists-spam-ietf-asrg(_at_)Space(_dot_)Net>
You surely mean "block list" and not CRL.
CAs certify identity and if I'd buy a cert that correctly says "you are
mail.example.com" and they'd revoke it because I don't stick to MPC
I'd sue them to Pluto and back.
This is not generally true. There are different kinds of certificates that
are created for different purposes and their use is subject to contracts.
The certificate can be revoked if you fail to abide by the terms of the
contract.
See, e.g.
http://www.verisign.com/repository/agreements/codesigning/subscriber.html
I have proposed a specific anti-spam certificate which would only be issued
when the subscriber states what anti-spam policy will be followed and
contractually agrees to it.
And exactly this is the reason why I don't "trust":
1) I don't trust CAs in general, because they have done
(Verisign/Microsoft)
and probably do enough bullshit with certs. (If I look at what happens
when customers buy certs ... oh my god).
The fact that Verisign made a mistake is not a good argument. No system
will ever be perfect and certainly the PKI is relatively new. Verisign
detected the mistake within a reasonably short period of time and acted to
correct it.
If someone has suggestions for improvement to the PKI, or an alternative to
it, by all means let us know. I haven't seen any system (e.g. "web of
trust") that was actually workable.
There is now an independent system for standards and auditing of CAs
(http://www.webtrust.org/certauth.htm) and many CAs have been
credentialed under this program.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg