On 1/3/2009 6:43 AM, Ian G wrote: > On 3/1/09 04:38, Eddy Nigg wrote: >> Before anybody else does, I prefer from posting it myself :-) >> >> http://blog.phishme.com/2009/01/nobody-is-perfect/ >> http://schmoil.blogspot.com/2009/01/nobody-is-perfect.html >> >> For the interested, StartCom is currently checking if I can release our >> internal "critical event report" of this event to the public (there >> might be some internal information which should not be disclosed). > > > Leaving aside the details of this "disclosed exploit demo" ... and with > a nod to the benefit to the community of such a disclosure ... it is > useful to examine the MOTIVE for doing this. > > What incentive exists for a CA in disclosing an apparent weakness? > > * In the open source world, we would say, the code is there for us > to share and improve the code, and the weaknesses are, as a consequence > of the model, revealed. In the open source world, we grasp this nettle > and turn it into an advantage. > > * But in the closed source world, other dynamics work. A seller of > proprietary product will suppress any report of weakness, as this will > cause the buying public to become suspicious, and buy some other > supplier's product. > > We've seen both sides over the last 2-3 weeks. > > So I guess there are two questions: > > 1. do we want to live in the world of open disclosure, > or the world of pretty facades? > > 2. if the former, how do we create the incentives > such that all prefer to disclose up front? >
To a large extent, I addressed this issue from the standpoint of an outsider discovering a problem more than three years ago in my <http://www.rossde.com/editorials/edtl_shootmsngr.html>. See also my <http://www.rossde.com/editorials/CalOaksBank.html> (two years ago) for a comparison of going public versus staying private when an outsider discovers such a problem. -- David E. Ross <http://www.rossde.com/> Q: What's a President Bush cocktail? A: Business on the rocks. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto