On 06/26/2011 02:50 AM, Ralph Holz wrote:
Which brings us to the next point: how do we measure improvement? What we would need - and don't have, and likely won't have for another long while - are numbers that are statistically meaningful. On moz.dev.sec.policy, the proposal is out that CAs need to publicly disclose security incidents and breaches. This could actually be a good step forward.
I agree - except that is should apply to more than just CAs. In 2008, I sent the following e-mail to my representatives and both Presidential candidates: http://seclists.org/dataloss/2008/q3/133 Its intent was to initiate a change in policy wrt breach disclosures. There was not even the courtesy of a form-response from most of them, so its not surprising that we continue to fly blind in 2011. Arshad Noor StrongAuth, Inc. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
