On Tue, 27 Jul 2010 01:14:21 +0000 (UTC) Jay Sakata <j...@edgecast.com> wrote: > I was very interested to read Peter's analysis of shared SAN > certificates. While we offer dedicated certificates, the shared > certificates we offer enable us to conserve IPv4 space while > helping customers lower costs. We've tested and analyzed these > shared certificates extensively and in a wide variety of scenarios, > and we believe they are just as secure as dedicated certificates.
I think that you may be right -- the entire TLS PKI model may be so horribly broken that, once you no longer have any real security to speak of, simply sharing a cert among hundreds of trust domains hardly harms anything further. All major browsers already trust CAs that have virtually no security to speak of, and for the most part a certificate only indicates that the CA had reason to believe that someone was in possession of sufficient funds to pay it for it. However, I suspect this is not what you meant here. > And helping our customers manage costs is good corporate > citizenship. But we will absolutely not compromise security in the > pursuit of either of these goals; our customers' security is > paramount. > > Of course, security is a journey and not a destination, and we are > constantly striving to further improve ours. [...] > A more secure Internet is in everyone's best interest, and I always > stand ready to make sure we are doing our part. [rest elided] I find it gratifying that my mailing list has gained sufficient public importance that not one but two technology executives have made the effort within 48 hours to join it so that they can state their opinion on the issue that Peter Gutmann raised. I find it less gratifying, however, when those messages do not focus on clear discussion of technical merits. This is, after all, a technical mailing list, intended for technologists to speak clearly, openly and precisely with each other. In reading your note, I was reminded of George Orwell's excellent essay "Politics and the English Language": http://www.mtholyoke.edu/acad/intrel/orwell46.htm If you have not read it, I strongly urge that you do so. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com