On 28/09/11 09:32 AM, Jeffrey Walton wrote:
Not surprisingly, none of the suggestions below benefit the consumer
or individual. Perhaps they should just use GPL like verbiage - "not
fit for any use".
"Enterprise can't rely on encrypted communications anymore, but
corporate counsel can champion a fix"
http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202517008883&From_the_Experts_SSL_Hacked
"With respect to the enterprise's public-facing website and SSL portal
for its customers, corporate counsel and IT should determine: (i)
whether the "subscriber agreement" between the enterprise and the CA
adequately protects the enterprise; (ii) the identity and reliability
of the relevant RAs used by the CA; (iii) the types of audit policies
the CA follows; (iv) whether the CA has been the subject of prior
exploits; (v) the types of statements made by the enterprise in its
Terms and Conditions of Use regarding the supposed reliability of SSL;
(vi) whether the addition of better disclaimers is needed; and (vii)
the nature and extent of the CA's insurance coverage."
As we know, (i) endangers the enterprise because relying on one CA means
relying on all CAs. Remaining points are therefore of less relevance,
perhaps of no relevance, unless there is an insurance policy
indemnifying subscriber for other CAs.
However, Steve Roosa did not stop or start there. Here's what he wrote
immediately preceeding, under the title On the Enterprise Browser Side:
The most important step for corporate counsel and IT departments is to
collaborate on the quickest, perhaps most effective measure of all:
configuring the enterprise browser platform so as to reduce the number
of root CAs the enterprise relies upon.
First, weed out those root certificates that no one recognizes. If
you do not know the CA well, there is no way for you to trust that CA.
Second, weed out those root certificates that are used rarely or not
at all. If a root certificate is not being used, then its only purpose
is to loiter around in the browser platform until such time as it can be
leveraged against the enterprise in an attack. So just delete it.
Third, for those CAs that remain, take a few moments to interact with
the CAs...
He's advising that the enterprises replace the root list. Question then
is .. how far is this loss of faith in the browser PKI going to spread?
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
