On Mon, Nov 24, 2014 at 09:35:16PM -0500, Richard Pieri wrote:
On 11/24/2014 3:20 PM, Derek Martin wrote:
It is a practical impossibility for you (or your organization) to
actually truly authenticate each and every entity with whom you do
business on the Internet.
I don't agree with the
On 11/25/2014 1:15 PM, Derek Martin wrote:
Let's say I meet you on the street, and you tell me you are Steven
Smith, and produce very good fake ID to that effect. As it happens
(in this scenario) I am exceptionally good at spotting fake ID. I
prove that your ID is fake. This does not prove to
On Tue, Nov 25, 2014 at 02:52:47PM -0500, Richard Pieri wrote:
On 11/25/2014 1:15 PM, Derek Martin wrote:
Let's say I meet you on the street, and you tell me you are Steven
Smith, and produce very good fake ID to that effect. As it happens
(in this scenario) I am exceptionally good at
On 11/25/2014 3:56 PM, Derek Martin wrote:
Oh, right, just like the web of trusted certificate authorities. It's
a solved problem, so we really don't need to continue this discussion!
Certificate authorities are not webs of trust. They are the opposite of
webs of trust.
--
Rich P.
On Tue, Nov 25, 2014 at 04:18:34PM -0500, Richard Pieri wrote:
On 11/25/2014 3:56 PM, Derek Martin wrote:
Oh, right, just like the web of trusted certificate authorities. It's
a solved problem, so we really don't need to continue this discussion!
Certificate authorities are not webs of
On 11/25/2014 4:31 PM, Derek Martin wrote:
Yes, that was my point. Social networks are not either... unless you
think someone who has over 1,000 friends on facebook actually
completely trusts every one of them.
You don't need to completely trust every one of them. You just need to
trust a
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss-
bounces+blu=nedharvey@blu.org] On Behalf Of John Abreau
Replacing X.509 requires that every site you want to visit switch away from
X.509 as well.
Convincing the whole world to embrace a crypto flag day is an enormously
On Sun, Nov 23, 2014 at 08:33:11PM -0500, Richard Pieri wrote:
What I don't understand -- and maybe don't want to understand -- is
why you are jumping through hoops to bolt kludges onto X.509 instead
of working to replace X.509 with something that has verifiable trust
baked in.
I think the
On 11/24/2014 3:20 PM, Derek Martin wrote:
It is a practical impossibility for you (or your organization) to
actually truly authenticate each and every entity with whom you do
business on the Internet. The problem is compounded by the needs of
I don't agree with the base assertion. I don't
On Sun, Nov 23, 2014 at 1:15 AM, Richard Pieri richard.pi...@gmail.com wrote:
On 11/22/2014 4:15 PM, Bill Bogstad wrote:
I already mentioned part of this in my first note. They would have to
do it by changing the nameserver entries for the microsoft.com domain
at the .com DNS servers which
On 11/23/2014 3:26 AM, Bill Bogstad wrote:
If they did something that Microsoft hadn't requested then I'm pretty
sure somebody would both notice AND care. This is all in the context
of attacking the security of Internet communications via a MITM
attack. If Microsoft (one of the two parties
On Sun, Nov 23, 2014 at 3:53 PM, Richard Pieri richard.pi...@gmail.com wrote:
On 11/23/2014 3:26 AM, Bill Bogstad wrote:
If they did something that Microsoft hadn't requested then I'm pretty
sure somebody would both notice AND care. This is all in the context
of attacking the security of
From: Tom Metro [mailto:tmetro+...@gmail.com]
I think what would be practical is not eliminating all the obscure CAs,
but having the cert validation area on the address bar show orange or
yellow or something to indicate that a valid cert was found, but that it
was issued by a less known
On 11/23/2014 11:13 AM, Bill Bogstad wrote:
Almost... Microsoft didn't authorize MarkMonitor to monitor their
communications (as far as I know). They authorized them to provide
The concern isn't what MM is doing at the moment; it's what MM is
capable of doing being a trusted CA and a
Edward Ned Harvey (blu) wrote:
There are class 1 and class 2 certs, and higher, but of course
there's no differentiation client-side. It's simply Ok or Not
Ok. So the question of how much I trust some particular cert is
an interesting question - extending not just to which CA issued the
On 11/23/2014 7:33 PM, Tom Metro wrote:
The extension provides a dialog where you configure which factors to
consider and how to weigh them, with reasonable defaults to get you started.
What I don't understand -- and maybe don't want to understand -- is why
you are jumping through hoops to
On Sat, Nov 22, 2014 at 2:30 AM, Richard Pieri richard.pi...@gmail.com wrote:
On 11/21/2014 6:19 PM, Tom Metro wrote:
Has anyone created an extension for Firefox that trims down the cert
list to something like the top 50 cert providers?
...
It gets better. Do a whois lookup on google.com.
On 11/22/2014 5:33 AM, Bill Bogstad wrote:
You are conflating DNS and Certificate Authorities. When I look at
the certificate used
for www.microsoft.com, it appears to be signed by Symantec via
Verisign. In any case, controlling someone's DNS is not the same
thing as being able to sign an
On Sat, Nov 22, 2014 at 4:17 PM, Richard Pieri richard.pi...@gmail.com wrote:
On 11/22/2014 5:33 AM, Bill Bogstad wrote:
You are conflating DNS and Certificate Authorities. When I look at
the certificate used
for www.microsoft.com, it appears to be signed by Symantec via
Verisign. In any
On 11/22/2014 4:15 PM, Bill Bogstad wrote:
I already mentioned part of this in my first note. They would have to
do it by changing the nameserver entries for the microsoft.com domain
at the .com DNS servers which I'm pretty sure they don't run.
MarkMonitor owns the microsoft.com and msft.net
Edward Ned Harvey (blu) wrote:
Look at the list of CA's on Mozilla's list, and look at their process
for accepting CA's (and read that link about Honest Achmed, which is
hilarious https://bugzilla.mozilla.org/show_bug.cgi?id=647959 )
Heh. It's a joke application to add a root certificate for
On 11/21/2014 6:19 PM, Tom Metro wrote:
Has anyone created an extension for Firefox that trims down the cert
list to something like the top 50 cert providers?
Who's to say what those top 50 are? And in fact, pruning to the top 50
would only remove about a dozen of the top level certificate
22 matches
Mail list logo
