per-entity - RE: [Per-Entity] HTTPS transport and TLS trust
Subject: Per-Entity Metadata Working Group
List archive
- From: "Cantor, Scott" <>
- To: Scott Koranda <>
- Cc: "" <>
- Subject: RE: [Per-Entity] HTTPS transport and TLS trust
- Date: Tue, 6 Sep 2016 15:52:51 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 164.107.81.208) smtp.mailfrom=osu.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=osu.edu;
- Ironport-phdr: 9a23:956UTx3If+YVRyi5smDT+DRfVm0co7zxezQtwd8ZsesfLfad9pjvdHbS+e9qxAeQG96Eu7QZ0KGP7ujJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6lX71zMZGw3+OAxpPay1X9eK14Xkn9y1rqbYZBlUzBm6e7p0IBz++R7SsdMfh4drAqk0wxrN5HBPfrIF63lvIAfZtB/6+sCquNZY+CNMp7hpo8VJV7n9ZeJiZbtDEXIrP31jt56jjgXKUQbavihUaW4RiBcdRlGdtBw=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
> My naive understanding was that many of the commercial CDN
> providers allow one to specify the X.509 certificate chain to
> be used for TLS.
>
> Am I wrong or missing the point or ?
I think I read something leading me to believe that wasn't true. I guess I
wasn't thinking...if you have to make the one single name resolve to many
different CDNs, I guess that implies control of the key.
But it doesn't entirely invalidate the point. The preferred model is a
self-signed certificate. But if you don't share the key across all the CDNs,
you'd end up with multiple trust anchors either way, and the consumer would
have to trust all of them. Manageable but annoying.
You can easily see why the CDNs get away with that. People don't really care
who the certs are from on web sites and the real goal is to get certs that
will be trusted automatically with no explicit choice to do so. Automatic
trust is an oxymoron IMHO.
-- Scott
- [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Scott Koranda, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, Tom Scavo, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, IJ Kim, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, , 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Paul Caskey, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, David Walker, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
- Re: [Per-Entity] HTTPS transport and TLS trust, IJ Kim, 09/06/2016
- RE: [Per-Entity] HTTPS transport and TLS trust, Cantor, Scott, 09/06/2016
Archive powered by MHonArc 2.6.19.