[cabfpub] LV Certificates - Counterproposal

Sigbjørn Vik sigbjorn at opera.com
Mon Dec 21 04:29:31 MST 2015


Hi CloudFlare and Facebook,

At Opera we share your concern about the wellbeing of the web. We too
want information to be accessible to as many as possible. We also want
this information to be securely accessible, so we are deeply sceptical
of any ballots that reduce the security of the web in any way, including
this one. Let us instead offer a counterproposal.

For a significant part of the users referenced in the ballot, free
upgrade paths already exist, so we believe these users do not need any
further action from us. Some users may not be able to use their device
on tomorrow's web though. We are eagerly awaiting your statistics on
this. Most likely this will be for very limited devices.

For example, Opera Mini is a technology which has minimal client
requirements such as RAM and CPU, and works independently of the root
store and cryptographic capabilities of the device. All that is required
is the ability to install a networked app, and it runs on a host of such
limited devices already. If this ballot should fail, and you are still
concerned about your users, get in touch with us, and I am sure our Mini
team could quickly release a version that restores gives full access to
your services.

Other solutions than LV exist, whether with Opera, or other companies.

On 18-Dec-15 23:21, Jeremy Rowley wrote:
> Hi everyone,
> 
>  
> 
> Attached is a proposal from Cloudflare and Facebook creating LV
> certificates in the baseline requirements.  This is a draft ballot for
> review that will, of course, change based on the debate in the forum.
> Although CAs will stop issuing SHA-1 on 2016/1/1, there isn’t any reason
> these changes couldn’t go into effect in early January (assuming a
> passing vote).
> 
>  
> 
> If adopted, this ballot would permit continued use of SHA1 certificates
> past the deprecation deadline (to support older devices) but give newer
> browsers an easy way to reject SHA1 for users.  The ballot also
> increases the resiliency of SHA1 certs against attacks by requiring
> higher entropy serial numbers.
> 
>  
> 
> I look forward to your comments.
> 
>  
> 
> Thanks,
> 
> Jeremy
> 
>  
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software


More information about the Public mailing list