Like everyone else, I say this consultant doesn't know what he's
talking about (I'm tempted to ask you to tell me who it is, so I can
avoid him/her).  Can I suggest a different line of attack, though?
It's obvious that confronting the consultant by calling bull doesn't
win you any points, so how about simply asking the consultant how,
exactly, the double certificate scheme increases security.  And do not
let yourself be satisfied with a half ass answer.

Hmm, I wouldn't name names, I'm just a little guy in all this. And if
I can, I would have used my real name on this list already.

I'm not the one presenting the arguments, I'm preparing those
behind the scene for our group leader. I'm working on a spreadsheet
calculator on how the cost add up for supporting non-standard
scheme. This includes:

- cost for extra development (code change to support double-cert,
debugging, extra bugs filed related to this scheme, ...)
- cost for extra testing
- cost for extra certificate, given that there will be 5000+ users using
the system
- cost for extra management (time difference between loading standard
certificate into USB token, and creating double-cert and load them into the
- extra cost for managing extra tool
- extra cost for managing certificates in this scheme, as the validity period
of the 2 certs are not synced
- extra cost incurred by users, as they have to remember which cert will
expire when (This is not a strong one though, as we can easily add an
extra function into the system to notify the user and admin that a specific
cert is going to expire, and when...)
- ... other smaller misc ones

Pease help to fill in items that I might have missed :)

I'd ask the CEO up front on what grounds he trusts that consultant.

Heh, he got a phd in CS, specializing in "crypto" and "system security" :)
according to what I heard. But I don't think he has ever coded anything,
but we have agreed between us that we will never "attack" on personal
ground. Keep it cool, so no one ever mentioned anything on this.

coconut_to_go> But the annoying thing is, the 2 certificates do not
coconut_to_go> even specify usage attributes correctly. And our
coconut_to_go> security expert said it does not matter, we (the
coconut_to_go> programmers) have to figure that out, which cert is
coconut_to_go> used for signature and which one is used for encryption.

This is just further proof that consultant doesn't know squat what he
or she is talking about.

After a while, I noticed my arguments against this scheme got lost in the
noisy room, and it kinda stuck in there as "personal thinking", and not
"scientific". That's why I'm posting on the list if someone could provide
a hint on a more "scientific" comparison of security analysis model
(or security attack model) on the two different schemes (double cert
vs standard single cert, with key separation if needed).

I'm building an attack model, based on attack tree, expanding out
into different routes of attacks, ... the attack tree diagram covers about
30 pages, and I'm having difficulties presenting in a short and cool
ppt to the management team. Besides, I got a gut feeling that something
is missing, but don't know what. I'm a programmer by profession
(and like it that way), learning crypto and security by myself, just
by interest. So I'm not sure I have fully grasped the best pratice
of security analysis.

This exercise is trying to show that there is nothing more secure
with double-cert scheme. And if it can actually show that double-cert
scheme is more secure, then I would've learned something too.

Problem is, it involves certain details of the project, so it is not possible
to show it to the public and ask for advice. And frankly, asking blank
question like that would be difficult for the gurus on the list to
answer too.

Thanks all.


Express yourself instantly with MSN Messenger! Download today - it's FREE!

OpenSSL Project                       
User Support Mailing List          
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to