Exactly my thinking on this Ken, well said.
Honestly, its like taking a SAS 70 and saying yep they are secure ( or SSAE 16 parts 1,2). I tell auditors all the time in ISACA discussions this is a "point in time" assessment, and might not even be valid the next day, so again if you want to go on the cheap for your trusted certificates you might be paying a larger price down the line when that certificate provider gets P0wned... Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, September 07, 2011 10:57 AM To: NT System Admin Issues Subject: RE: DigiNotar compromise And yet people ask: "why should I pay $x * 100 for a Verisign/etc. cert vs $x for a DigiNotar/etc. cert". Yet, I suppose this is capitalism in action. There is not guarantee that Verisign is non-hackable, yet they have a profitable business model to protect. Each of us has to make a tradeoff to decide whether a cheaper price is worth the risk that too cheap a price is compromising due diligence on behalf of the CA From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, 7 September 2011 10:30 PM To: NT System Admin Issues Subject: RE: DigiNotar compromise Honestly, It doesn't surprise me on this one, I am sure there are others that are just as bad or worse, that will get owned at sometime in the future and the same kind of stuff will be un-earthed. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Tim Evans [mailto:[email protected]] Sent: Tuesday, September 06, 2011 4:02 PM To: NT System Admin Issues Subject: DigiNotar compromise If this is true, I find this absolutely unacceptable that a commercial CA would run a system like this. Incredible http://computer-forensics.sans.org/blog/2011/09/06/diginotar-incident-re sponse-report-no-logging-weak-password-no-protected-network Tim Evans Associate, Information Technology Manager S P A R L I N G (206) 667-0509-Direct (206) 391-8004-Mobile www.sparling.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image002.jpg>>
<<image003.jpg>>
