On 5/09/11 7:23 PM, Gervase Markham wrote:
The thing which makes the entire system as weak as its weakest link is
the lack of CA pinning.
Just a question of understanding: how is the CA pinning information
delivered to the browser?
(For those who don't know, I also had to look it up too
Preliminary report on-line:
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/fox-it-operation-black-tulip.html
- Marsh
___
cryptography mailing list
cryptography@randombit.net
On 2011-09-06 9:35 AM, Ian G wrote:
(Another sign that the processes aren't doing the job is that CABForum's
solution is to add more audits. We're up to 4, now, right? WebTrust, BR,
EV, vendor. Would 5 do it? 6?)
Shades of Sarbannes Oxley.
___
the browser
vendors have
chosen to prevent them from employing any other option (I can't, for
example, turn on TLS-PSK or TLS-SRP in my server, because no browsers
support it - it would make the CAs look bad if it were deployed).
Patches welcome? (Or did we reject them already? :-)