Re: [cryptography] Symantec gets it wrong
On Thu, Sep 8, 2011 at 1:30 AM, Ralph Holz h...@net.in.tum.de wrote: Hi, I (still) cannot believe how Symantec reacts to the DigiNotar breaches - basically ignoring the known shortcomings: http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters To be contrarian for a moment In the old days ( a few months ago) the only really difference for a customer between most CAs was how widely their trust was distributed. What platforms (Windows, which mobile phones, etc). Their customers didn't have to care about quality, and really didn't have to care about the CA going away, except if the CA went bankrupt or something... Today, maybe that has changed ever so slightly? If a customer now fears that their/A CA will actually get de-listed from the popular platforms, thus causing them an outage, maybe customers start demanding CAs that are less likely to get de-listed? Maybe ones that can demonstrate better security controls, or somesuch? This isn't to say it justifies or supports the marketing campaign, but perhaps there is a real message hidden in there after all? - Andy ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Symantec gets it wrong
Hi, http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters To be contrarian for a moment [...] This isn't to say it justifies or supports the marketing campaign, but perhaps there is a real message hidden in there after all? That would be a really far-sighted campaign, but yes, it's a point. However, what I meant is that the blog entry ignores the fact that as long as there is a weakest link in the root store, protection of your domain certification is exactly as strong as that weakest link. Sure, you can go to VeriSign to get a certificate, but it won't help you if DigiNotar is hacked afterwards and certificates for your domain issued. I am no good at predicting customer behaviour, but why should customers opt for the more expensive solution then? Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Symantec gets it wrong
Hi, On Thu, Sep 8, 2011 at 6:20 PM, Andy Steingruebl a...@steingruebl.comwrote: On Thu, Sep 8, 2011 at 1:30 AM, Ralph Holz h...@net.in.tum.de wrote: Hi, I (still) cannot believe how Symantec reacts to the DigiNotar breaches - basically ignoring the known shortcomings: http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters To be contrarian for a moment In the old days ( a few months ago) the only really difference for a customer between most CAs was how widely their trust was distributed. What platforms (Windows, which mobile phones, etc). Their customers didn't have to care about quality, and really didn't have to care about the CA going away, except if the CA went bankrupt or something... Today, maybe that has changed ever so slightly? If a customer now fears that their/A CA will actually get de-listed from the popular platforms, thus causing them an outage, maybe customers start demanding CAs that are less likely to get de-listed? Maybe ones that can demonstrate better security controls, or somesuch? I don't expect the average Joe to know which security controls are better than others and, in turn, I don't expect him to tell an untrustworthy CA from yet-another-CA anytime soon. Even if he could (w.r.t. security controls for the verification of the claimed identity), the incentives are misaligned as the consumers strive for cheaper certificates and issuers for higher margins. The possibility exists for the CA industry to try to self-regulate, issuing security mandates to comply with -- which are not necessarily right, well focused or inexpensive (a PCI DSS deja vu). Solving the PKI failures we are experiencing requires a multi-dimensional approach. Information asymmetries need to be reduced. At the same time, we need to address the architectural issues; as noted by Peter: Universal implicit cross-certification makes the entire system as weak as the weakest link. This isn't to say it justifies or supports the marketing campaign, but perhaps there is a real message hidden in there after all? - Andy -- alfonso blogs at http://Plaintext.crypto.lo.gy tweets @secYOUre ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Symantec gets it wrong
On Thu, Sep 8, 2011 at 1:53 PM, Adam Back a...@cypherspace.org wrote: btw Massive kudos to the comodo hacker if his 'sploits are accurately bragged, favor he did the SSL/PKI community indeed. There were multiple files posted as trophies so I presume people have verified. Whether they're for realz or not, the damage (to PKI's unearned position and public perception) is done. Everyone is now on notice. Will this speed new solutions? Maybe, but I won't hold my breath. More likely it will speed decent band-aids and delay better solutions, but that's not a terrible outcome. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography