towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

Anne & Lynn Wheeler lynn at
Sun Aug 22 11:51:01 EDT 2010

On 08/22/2010 06:56 AM, Jakob Schlyter wrote:
> There are a lot of work going on in this area, including how to use secure DNS to
> associate the key that appears in a TLS server's certificate with the the intended
>domain name [1]. Adding HSTS to this mix does make sense and is something that is
> discussed, e.g. on the keyassure mailing list [2].

There is large vested interested in Certification Authority industry
selling SSL domain name certificates. A secure DNS scenario is having
a public key registered at the time the domain name is registered ...
and then a different kind of TLS ... where the public key is returned
in piggy-back with the domain name to ip-address mapping response.

This doesn't have the revenue infrastructure add-on that happened
with the Certifcation Authority ... just is bundled as part of
the existing DNS infrastructure. I've pontificated for years that
it is catch-22 for the Certification Authority industry ... since
there are aspects of improving the integrity of the DNS infrastructure
i.e. Certification Authority industry is dependent on DNS ... aka
The Certification Authority industry has to match the information
from the SSL digital certificate applicant with the true owner
of the domain name on file with the DNS infrastructure (among
other things, requiring digitally signed communication that is
authenticated with the onfile public key in the domain name
infrastructure is a countermeasure to domain name hijacking ...
which then cascades down the trust chain to hijackers applying
for valid SSL domain name certificates).

At 50k foot level, SSL domain name certificates were countermeasures
to various perceived shortcomings in DNS integrity ... nearly any
kind of improvements in DNS integrity contributes to reducing the
motivation for SSL domain name certificates. Significantly improving
integrity of DNS would eliminate all motivation for SSL domain
name certificates. This would then adversely affect the revenue
flow for the Certification Authority industry.

I've also periodically claimed that OCSP appeared to be a
(very rube-goldberg) response to my position that digital
certificates (appended to every payment transaction) would actually
set the state-of-the-art back 30-40 yrs (as opposed to their
claims that appended digital certificates would bring payments
into the modern era ... that was separate from the issue of
the redundant and superfluous digital certificates representing
a factor of 100 times payment transaction payload and processing

Anything that appears to eliminate competition for paid-for
SSL digital certificates and/or strengthen the position of
Certification Authorities ... might be construed as having
an industry profit motivation.

virtualization experience starting Jan1968, online at home since Mar1970

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list