Hi,
On 01/05/2013 12:29 PM, Ben Laurie wrote:
Unless all the people who saw it happened to be running Chrome, then
it seems quite likely it was used maliciously, surely?
The problem is that there are many values that both legitimately and
maliciously can take. Turktrust's argument seems to be
Hi,
Is inclusion of a root CA in the major browsers a shall issue process
? hat is, you meet the criteria and you get in ? Or is it a subjective,
political process ?
The process varies between browser vendors, with baseline requirements
established in the CAB Forum. Audits are usually
On Sat, Jan 5, 2013 at 8:05 AM, Ralph Holz h...@net.in.tum.de wrote:
Hi,
...
What I have also seen was post-hoc debate about the inclusion of the
Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the
process: If participants do not have much time, the one-week discussion
In the light of yet another in an apparently neverending string of CA
failures, how long are browser vendors going to keep perpetuating this PKI
farce? [0]. Not only is there no recorded instance, anytime, anywhere, of a
browser certificate warning actually protecting users from harm [1], but the
On 5/01/13 01:05 AM, Ryan Sleevi wrote:
On Fri, January 4, 2013 12:59 pm, Greg Rose wrote:
You could ask the folks at CAcert... I imagine Ian Grigg will also chime
in. Certification costs a lot, and as you have observed, the incumbents
try very hard to keep you out. Despite some
On 5/01/13 00:01 AM, yersinia wrote:
On Fri, Jan 4, 2013 at 8:41 PM, John Case c...@sdf.org wrote:
Many today say that there are too many root CA, not a few. Is not it?
https://www.eff.org/observatory.
have i missing something ?
Yes - the number of CAs is not so relevant to the question.
HI all,
On 5/01/13 15:55 PM, Ralph Holz wrote:
On 01/05/2013 12:29 PM, Ben Laurie wrote:
Unless all the people who saw it happened to be running Chrome, then
it seems quite likely it was used maliciously, surely?
The problem is that there are many values that both legitimately and
I have no more information than the rest of you but my read of what they
published is that this was not a 'legitimate MITM' case.
It sounds to me as if they are saying a customer installed a previously
purchased certificate on a firewall for a legitimate purpose -- possibly
administration or
Before joining Globalsign a year ago I was an observer to what was going on in
the CA industry.
Personally I saw (and still do see) value in the services that a CA offers and
believe that for the large majority of users on the Internet there is value in
knowing who is behind domain name.
I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm really glad you asked this question. It gives me to tell a story I've
wanted to tell for some time. I know the answer to your question because I've
done it.
Some years ago, PGP Corporation toyed off and on with the idea of becoming a
CA. We
A great write up Jon!
As you know in a past life I was responsible for the Microsoft Root program and
introduced much of the process that is used today - It really makes me happy to
someone speak positively possibly about what they do and I couldn't agree more.
The only thing I would change in
Just to top-post on that - I did read up on a lot more references [0],
and I see that the claim is that the CA concerned issued the
intermediates by mistake. They caught one of them later on and fixed
it. The second they did not catch.
The holder of the second intermediate then installed it
Ian, I do agree with you that the dynamic configurations of them firewall is
the most suspect part of the story.
I'm inclined to give them the benefit of the doubt based on my experience
managing some UI related efforts inside of Windows -- aka today modern software
makes an effort to intuit
On Sat, Jan 5, 2013 at 3:26 PM, Ryan Hurst ryan.hu...@globalsign.com wrote:
Ian, I do agree with you that the dynamic configurations of them firewall is
the most suspect part of the story.
I'm inclined to give them the benefit of the doubt based on my experience
managing some UI related
I've been unable to find a screenshot but this FAQ does suggest that there is
an explicit action required to enable HTTPS inspection:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=sk65123
As for what appropriate consequences are for
On Sat, Jan 5, 2013 at 3:59 PM, Ryan Hurst ryan.hu...@globalsign.com wrote:
I've been unable to find a screenshot but this FAQ does suggest that there
is an explicit action required to enable HTTPS inspection:
It's still not clear it was willful; For example maybe they were using an
enterprise CA enable the MiTM for their machines / enterprise users who knew
the traffic was monitored and to fix some user reported problem they made a
configuration mistake.
After all in the end these are just Base64
2013/1/5 Ryan Hurst ryan.hu...@globalsign.com
I've been unable to find a screenshot but this FAQ does suggest that there
is an explicit action required to enable HTTPS inspection:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=sk65123
Erwann,
The text in that FAQ refers to the administrator enabling HTTPS inspection, my
assumption is that for there to be FAQ references it is 'obvious' in the UI
that it can be enabled.
That said I don't disagree with most of what you said below.
Ryan Hurst
Sent from my phone, please
Jon,
Many thanks for this very informative post - really appreciated.
Some comments, below...
On Sat, 5 Jan 2013, Jon Callas wrote:
Now that $250K that I spent got an offline root CA and an intermediate
online CA. The intermediate was not capable of supporting workloads that
would make
On Sat, January 5, 2013 10:10 pm, John Case wrote:
Jon,
Many thanks for this very informative post - really appreciated.
Some comments, below...
On Sat, 5 Jan 2013, Jon Callas wrote:
Now that $250K that I spent got an offline root CA and an intermediate
online CA. The
Any defensiveness is no doubt due to the fact that trust in the system
is shared between all participants - lose faith in one CA, and you lose
faith in all CAs. In that sense, existing CAs - particularly entranced
ones - have incentives to improve the state of the trust and security in
the
On 2013-01-05 9:31 AM, Ryan Sleevi wrote:
On Fri, January 4, 2013 3:06 pm, James A. Donald wrote:
On 2013-01-05 8:05 AM, Ryan Sleevi wrote
Can you explain how, exactly, incumbents leverage any power to keep new
entrants out?
Such behavior is necessarily a deviation from official truth,
On 2013-01-05 12:07 PM, Morlock Elloi wrote:
Correct. The cost of being CA is equal to the cost of getting CA signing pub
key into the target audience browsers.
You can (sorted by increasing security, starting with zero):
1 - go through browser vendors,
2 - have your users to install
On Fri, Jan 4, 2013 at 6:06 PM, James A. Donald jam...@echeque.com wrote:
On 2013-01-05 8:05 AM, Ryan Sleevi wrote
...
Analogously, regulators, financial audits and ratings agencies were supposed
to ensure that banks only invested in safe stuff.
Safe Stuff was thrown out the window with the
25 matches
Mail list logo