Keith Moore wrote:
On Aug 27, 2011, at 10:31 AM, John Levine wrote:
TLS for session privacy is nice, but I find negligible value in a
little lock icon in my browser that means only that one of the several
dozen cert issuers configured into my browser, most of whom I've never
heard of, and many of whom aren't even the organization in the cert
name, signed something.
+1. IMO browser vendors have made TLS nearly useless for web browsing
by including so many default CAs; some with dubious integrity, and a
few with a demonstrated lack of integrity.
Interesting viewpoint. Are you advocating for a monopoly or oligopoly
centralization?
I having read anyone mention OCSP (Online Certificate Status Protocol)
which use to be off by default, but appears to be enabled by default
now by updated browsers. It was a painful to solve a customer problem
when most browser work fine with a brand new certificate but failed
when newer browser had OCSP enabled. Some miscommunication issue on
the type of certificate brought and wildcard domains. The CA has
revoked it but only via OSCP was it detectable.
The ongoing direction of dynamic tracking of anything and anyone
continues to amaze me.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf