On 7/09/11 7:34 AM, Fredrik Henbjork wrote:
Here's another gem related to the subject. In 2003 CAcert wished to have
their root certificate added to Mozilla's browser, and in the resulting
discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the
following to say:
I have no
Ian G i...@iang.org writes:
Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
Actually I'm not sure that DigiNotar was the bottom, since they seem to have
been somewhat careful about the certs they issued. The bottom is the cert
vending machines that will issue a
On 09/07/2011 10:00 AM, Peter Gutmann wrote:
Ian Gi...@iang.org writes:
Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
Actually I'm not sure that DigiNotar was the bottom, since they seem to have
been somewhat careful about the certs they issued. The bottom
Marsh Ray ma...@extendedsubset.com writes:
Do we need then a whole spectrum of Super Validation, Hyper Validation,
and Ludicrous Validation to address the ridiculous deficiencies found in
these current pwned EV CAs?
It has been suggested that we need a kind of meta-CA or CA for CAs (CACA).
Then
On 8/09/11 5:34 AM, Fredrik Henbjork wrote:
http://www.globalsign.com/company/press/090611-security-response.html
This whole mess just gets better and better...
As a responsible CA, we have decided to temporarily cease issuance of
all Certificates until the investigation is complete.
On 09/07/2011 02:34 PM, Fredrik Henbjork wrote:
http://www.globalsign.com/company/press/090611-security-response.html
This whole mess just gets better and better...
What's interesting is how the attacker simply doesn't fit the expected
motivations that SSL cert-based PKI was ever sold as
On 8/09/11 6:02 AM, I wrote:
H I'm not sure I'd suspend issuance without some evidence.
On 8/09/11 6:13 AM, Franck Leroy wrote, coz he checked the source!:
http://pastebin.com/GkKUhu35
extract:
Third: You only heards Comodo (successfully issued 9 certs for me -
thanks by the
[Adding a cc: to observatory. I am not a big fan of cross posting, but
there are two virtually identical discussions taking place on the
Cryptography and SSL Observatory mailing lists].
Folks,
After writing my Diginotar Lessons Learned (long) post yesterday to
the Cryptography mailing list, I
|
| It has been suggested that we need a kind of meta-CA or CA for CAs (CACA).
| Then the browser vendors could code CACA into the browsers, and we'd all be
| trusting in CACA.
|
| Or maybe we already are.
|
Peter (or anyone) -- would you comment on the existence and
practice of bridge
Thawte is part of Verisign, that is a spin-off from RSA Security.
They were an independent company in South Africa with operations in
the US and other places. Verisign bought them in 2000. I never heard
of them having any connection to RSA, which has always been in the US.
I presume that
(As far as I know, Apple has not fixed their desktop/server software
either. The folks that have to deal with it are still hacking
solutions [1]. Its not a big surprise, since Apple's PKI appears to be
generally broken from a programmer's perspective [2]).
Marsh Ray ma...@extendedsubset.com writes:
He wants credit for saving the world from PKI!
He should get it. A number of security practitioners have been trying to tell
the world for more than a decade that this stuff, you know, doesn't actually,
well, work. Whoever's behind this has now made
Ian G i...@iang.org writes:
It is not a new observation that the original threat modelling had flaws you
could drive a truck through :)
You forgot to mention what the SSL/browser PKI threat model actually is, as
first pointed out by some guy called Grigg:
SSL/browser PKI is defined to be
13 matches
Mail list logo
