excellent point…lets define “authentication”…
First of all…why do we encrypt the data?
Because we don’t want unintendent receipents to see the data…right? (Please confirm)
That means, to me, authentication means that I know and trust the end entity that will decrypt my encrypted code.
Fair definition of “Authentication”?
yeah. seems legit.
well some thing that have no real importance and/or personal info need neither auth nor crypto, or as I said where authentication would be useless anyway e.g. in point to point connections also many places where you dont encrypt might or might not need authentication, for example I dont care if somebody sees me downloading teamviewer, VNC or whatever but I certainly dont want that that stuff gets tampered with, and in certain high performance scenarios where privacy is not an issue but it should be tamperproof auth without crypto might come in handy as well because you dont need to crypt and sign but only sign.
technically authentication even happens in normal life, for example when you speak with a friend and he has a clearly different voice you know that something is wrong.
but in internet connections authentication is important on most sites especially considering that you enter personal data at many places (even if it’s just a password only for that site)
also about the intresting encrypt or not part:
with DNS and DNSSec I think the authentication is important no matter whether the stuff gets sent encrypted or not (and they are taking it seriously, they take SEVEN people every 3 months to sign the new DNS Root Zone keys while the key signing key is locked tight at all other times, and to transfer the actual key we need even more ppl, let me see all 7 crypto officers, the 2 safe admins, the internal witness plus the ceremony admin, making eleven people for that thing.
one main reason why DNSSec doesnt need to be crypted is that the DNSSec then has the problem of how we work the crypto keys and so on, which gets a it annoying, especially since I think that CAs as they are now are a bad model in general (as I said earlier anyone can certify anything) because it makes misissuances easy enough (we remember verisign/symantec, do we, oh and now bluecoat (maker of mitm hardware) has their own intermediate cert which has no restrictions aside from pathlen 0 which means they can make domain certs as they want.
also a very important point as I said the level of authentication should be reasonable. in enough cases it would be even enough if they are authenticating by their domain or even going a bit weirder a socialnetwork username/ID (obviously one that CANNOT be changed or taken again by another person) so I would know for example (important this is fictional) that a person who would go by “linuxabc” on google+ makes a software and has a forum related to that, I dont need to know the real name of that person since that isnt shown to me in most occasions anyway. in that case an identity cert would bring me nothing since I cant establish the connection between the person where I know the stuff come from (linuxabc on google+) even if I knew that the operator is called “John Smith” (especially in cases of very common names it helps even less, not to forget that the name of a person can change easily by marrying which could lead to confusion if the people) an there it would be more helpful to have the identity link by their online identity.
so the question is also where you put the “identity link” as I like to call it.
even if your name would be in the EV cert you have instead of comodo many people dont know the names of the CEOs and stuff of companies and even those can change, like it happened with google when the 2 main people went to alphabet) that’s why EVs use the company name as identity link.
Now that we have established the definitions…let me pose a question to you please.
Is it doing consumers a service or disservice to put a DV cert (and i am sure you know it doesn’t validate the applicant) on an ecommerce site, where a brand new user going to that site will think they are “safe” because they see the lock?
We have multiple problems in the market place.
1)People do not understand “encryption without identifying the recipient” is fallacy.
2)Browsers show “trust indicators” for stuff that has no trust in it.
Of course if i am logging onto my mail server and i know the URL/IP address (where there is a pre-established trust exist between me and the URL/IP) i might not need authentication but just encryption. You see in reality you will always need Authentication for encryption, but sometimes that authentication is Pre-established. In cases where “authentication” is pre-established, all you need is just encryption.
But at the moment, I see the use of encryption being used to “establish trust” (whether we like it or not, thats how good chunk of consumers are seeing it) where there is no authentication inside the certificate (eg: the applicant has not been identified or vetted). To me this erodes trust. Would you agree with that? My goal is to help educate people to understand how we should use “encryption” as on its own without “authentication” is pretty useless.
well the fact that the lock is for trust is a thing I disagree with I mean anyone could put a lock on something so it’s a bad sign (one reason why it’s sad that firefox restored the locks in version 14, before that they either had a blue bar with the cert domain or a green bar for an EV company name).
about ecommerce (and many other things) we get to to the “identity link” I described earlier problem but before that let me clear one of your misconsumptions:
Of course if i am logging onto my mail server and i know the URL/IP address (where there is a pre-established trust exist between me and the URL/IP) i might not need authentication but just encryption.
stop. you would need at the very least an authentication over the domain name because otherwise you dont know who has the cert and may MITM you (e.g. company proxy) so you need at the very least an identity link to the domain and/or IP.
about about the who needs DV or should get better.
well lets kick OV out because without checking the cert you dont see anything of that so it’s mostly useless for HTTPS and the average user.
for many sites I think, that sites that literally identify themselves over their domain because they are mainly in the internet and/or started there (like google or amazon) the domain name would be enough as identity link, because it’s a known fact that google is called via google.com or google.de and so on, similar for amazon their addresses are publicly known and identify the company.
also as I said in some cases it can get confusing for example when I would be on amazon.de an EV cert would probably show “Amazon sarl (luxembourg)” which may look weird to people who explicitly called german amazon and dont know that the european amazon is there.
for places like banks I would say they should always be ev especially because them have sometimes long domain names which many people dont type in but get there using links and that makes it easier to hide stuff and banks are also something that primarily exists in the real life meaning that for banks and many thngs that are primarily in real life an identity lik to the actual company might make a lot more sense.
so my general Idea is what part of the identity is the best known for whate you want to offer and use that as the identity link.
Lock thingy: some say they trust it some say they don’t. We do get A LOT of emails from consumers on daily basis complaining that they entered into a transaction with the site trusting the padlock.
Giving trusted domains as example might not show the true problem. Because you already trust the brand and that is the “pre established trust” hence going to a domain that you already trust will only require encryption. (MITM is yet another problem…).
All i am trying to do here is to create use cases where we can use “Encryption” and “Authentication”.
Now you have introduced the next concept…if a domain name is good enough "authentication/identification’ who you are encrypting for…
so here is a new question: When a person encrypting data for a domain name (with no preestablished trust) is it sufficient identification/authentication to let the user know who they are encrypting the data for?
It might have been innovative in 2007 to limit the lifetime of all certificates to ninety days, with automatic renewal. But Comodo still issues DV- and OV-certificates with a lifetime of up three years, and EV-certificates with a lifetime of up to two years¹, while the free DV-certificates are limited to a lifetime of ninety days. Automatic renewal? Don’t see it in the FAQ². I think automatic renewal is essential, but I realise it threatens a certain business model. 
One may see the limitation of the lifetime of the free certificate as a way to make people consider to pay for a certificate with a longer lifetime. (You spoke of business model.) Innovative?
I also noticed that the certificate from Comodo one can get for free through CloudFlare has a lifetime of seven months, and the certificate one can get through One.com is valid for one year. Why?
You say lifetime matters, but apparently it doesn’t matter if it’s ninety days, seven months, one, two or three years. ??? Instead you choose to rely on revocation. Does revocation even work? That is also why technically obsolete certificates are still in use. It’s not hard to find a certificate using SHA-1 that will expire in 2017.
To clarify. When I said “With automatic renewal, the lifetime doesn’t matter much to the user”, the user means the CA’s customer, and lifetime doesn’t matter much, it is in a practical way. No extra work is required if the lifetime is only a few days than if it is several years.
I think long-lived certificates should be deprecated. But customers demand it? If a customer wants a certificate with a lifetime of three years, offer a subscription and issue short-lived certificates with automatic renewal. :-La That’s an innovative idea in 2016. Or should that be 2006?
¹ Sectigo
² Knowledgebase - Powered by Kayako Help Desk Software
Revocation work or not is not a function of CAs but Browsers. Technology is there, just needs to be deployed for a more robust revocation system.
You are trying to solve revocation problem via short term certs. Both are legit ways with pros and cons for both.
In order to understand how short the cert should be, you need to understand how fast the crime is. For example, phishing is done about 6 hours…so they only need a cert for about 6 hours to cause a damage…1 day short lived cert will allow this be perpetrated. Whereas revocation could pretty much be instant.
But the problem is that we would need a good revocation system, one idea is already rolling, tge so called “must staple” for ocsp, basically in tge cert it says that a valid ocsp staple is needed (which is essentially an extremely short lived cert for the actual cert which gets directly stapled onto the tls message by the server meaning that there’s no beed to chekc external servers)
But even ocsp has a lifetime so it won’t be THAT instantly unless you have servers big enough to sign like every few minutes.
@jowa about the free certs. According to the site i linked at the bottom of page 1, there ain’t just no automatic renewal but more like no renewal AT ALL (one issuance per domain)
@ceo i think we should split off the authorization discussion since i think it really goes quite off the nain topic.
But i think there should be the identity link in the cert that a user can relate best to and if that’s not already the domain, add dv for automatic validity checks.
And i think that the user should be shown what the cert is trusting.
But the lock needs renewal. On Firefox forty something they made a change i dont really approve. All locks that aren’t errors are green. I would like that they have kept grey for dv/ov.
And even ev doesn’t say that the site is good legal or anything only that it belongs to a certain company and that has been thoroughly validated.
So even ev shouldn’t be equal to blind trust, they should at least check on the company.
Also in most average scenarios there is no “no established trust” there is always at least one part where the user knows for definite.
If a user searches his bank on google and clicks on tge link he should get an ev because he can relate best to the bank itself.
And the browser trusts his cas which creates another trust relationship between not only the cert and the posted code and therefore the displayed content, but also between the domain and the content. In case of any extra identities listed in the cert the user can make a trust link between the content and the company listed. And even with a dv he can see this site is definitely google.com (and people know that’s Google, be it ev or not)
Comodo has filed for express abandonment of the trademark applications at
this time instead of waiting and allowing them to lapse.
Following collaboration between Let’s Encrypt and Comodo, the trademark
issue is now resolved and behind us and we’d like to thank the Let’s Encrypt
team for helping to bring it to a to a resolution.
@#28 thanks for the info, that’s actually great to know and also gives the good thing that if anything changes within comodo before it runs out (and they could use the trademark) that nothing cab happen to the sleeping trademark
Sayer is there a good reason your education didn’t prepare you to differentiate between copyright and trademarks. Furthermore regarding copyright doesn’t even work that way everything is copyrighted with or without registration and failure to register doesn’t imply that it is my privilege to plaguerize you and claim the right to based on your failure.
Your statements thus far are so off I doubt that you are actually a paralegal
That might change, because the fittest will survive, and automatic renewal will be essential for survival. I don’t see how selling DV-certificates will survive. It probably won’t.
Hi michaelrose,
While on the subject of education, please read the T&Cs of the Forum Policy.
We need to respect other users comments and opinions.
Forum Policy Sect 5
Thank you.
The way I see this situation is everyone is happy to show judgement, but how many of you know all the facts and details (Not just something you read either, as anything can be written whether it is true or false)
There is nothing so complicated that one would need to consult a lawyer or even a paralegal.
The facts are incredibly obvious. Painfully so even. Let’s encrypt existed for years before Comodo attempted to steal their name. At best it was an attempt to attack their competition by making them waste money on legal fees at worst an attempt to derail them by forcing a name change and create confusion about the let’s encrypt brand.
Worse when Comodo was caught behaving poorly. When they were called on it their ceo spewed a bunch of nonsense then backpedeled without admitting wrong doing or fault.
As a result their rep is approximately at used car salesman level.
If you actually care what prospective customers think of you it’s time for a mea culpa plus your ceos resignation.
As to the legal professional I honestly believe he is misleading people about his profession and adding to the confusion. I am not personally attacking him I truly believe it’s impossible that he is a paralegal and confused copyright and trademark.
I am afraid you are, please read the Forum Policy
To anyone who posts in the this topic, further posts in this topic which are only to insult or be rude in anyway will result in that member being banned.
If you feel the need to Troll do it elsewhere.
Please note the above post which closes the topic, no we do not lock topics.
Thank you
Dennis
You are absolutely off your rocker. Everything is not copyrighted without registration? Is this post that I’m making right now copyrighted ? It could not even be considered intellectual property. Trademark and copyright registrations are both issued by the federal government and protect two distinct types of intellectual property. You can also include patent law under the same scope. Copyright works for a fixed tangible medium. Where trademark distinguishes the source of the goods or services of one person or company. Both provide the owner with the right to exclude others from using their work without permission. Under both pretenses ISRG has no claim to ownership of the phrase “Let’s Encrypt”.
Let’s encrypt may have existed for years using the name before Comodo used the name (which by legal ownership does not belong to ISRG), and they have no legal or binding ownership of it. That is simple and any first year law student could tell you that.
Copyright/trademark requires use and distinctiveness (and registration if you want any real protections). If LSRG did not realize that then to bad.
Please do not come around here stating facts and your opinions that are wrong and misguided. I would give you a true piece of my mind but I have too much respect for the mod’s on this forum.
With that said recheck your facts and only post on things you really understand.
well the one only thing they actually COULD sell would be wildcards because there have been no free wildcards, but if they will I hope it will be cheap.
also I dont care whether or not they will do it in the future. the CEO stated that LE stole their model of 90 day free certs, which is a point I just cannot agree with because their certs werent really free but pretty much just a trial.
except for the fact that they didnt use the name (yet) but stated that they want to in the future, I cant say anything about that but I think similar to patents they should really make a law that’s similar to the “prior art” concept of patents.
I dont think that just doubting whether a person has one job or another is in my opinion not something that could be offensive, especially considering your final sentences that anyone can write anything in the web.
if he would have said something along the likes “no way in hell you are a paralegal you little …” well yeah I get what you mean but he just stated that he doubts that he’s a paralegal (I dont really know what a paralegal is, but I dont think that’s so important right now)
Yes, yes it is. In laymans language see jux.law Short answer is no it needn’t be registered to be copyrighted. If I understand properly this was so as of 1976 aprox 50 years ago I could be off on that one though.
Nope.
As you yourself noted the purpose of trademark is to avoid confusion. Specifically “Where trademark distinguishes the source of the goods or services of one person or company.” No court in their right mind knowing that a competitor had been doing business for multiple years under that name would have granted it to Comodo. This is a clear ■■■■■■■■■■ of the letter and spirit of the law. Attempting to sow confusion rather than prevent it!
Why on earth do you think they back peddled so fast? Do you think its acceptable to play games and hope the courts don’t call you on it or do you think a companies public behavior ought to be above reproach and straightforward? This isn’t a legitimate strategy its an open attack on something that would otherwise benefit us all.
This could go back and fourth and on an on. Let me give you a simple example. Let’s say a man opens a restaurant named Jake’s Hamburgers, and the restaurant is a great success. Over the year’s with the success he open dozens of others over many years. This business owner never trademarks the name.
Another man opens a single restaurant only a few weeks old and trademarks the name Jake’s Hamburgers. This man finds out that the other owner is running multiple restaurants with his trademarked name. the man with the trademark could file suit and in any court in America and force the older business to cease using the name on all his restaurants immediately. The courts will always side with the owner of registration.
This is plain and simple law and designed that way to protect ownership of the trademark holder. If ISRG did not own the trademark and Comodo filed for ownership first there is a great chance Comodo would have legal rights to the phrase.
I do not know all the details of this particular case but I do know what I’m talking about. I was a paralegal for 2 years with my friend’s Law Firm years ago and he specialized in these matters and I learned a lot from my experience. Enough to know I’m correct if I understand the facts correctly.
Either-way I’m done with this as it does not concern me.