On 26/06/11 1:26 PM, Marsh Ray wrote:
On 06/25/2011 03:48 PM, Ian G wrote:
On 21/06/11 4:15 PM, Marsh Ray wrote:
This was about the CNNIC situation,
Ah, the I'm not in control of my own root list threat scenario.
See, the thing there is that CNNIC has a dirty reputation.
That's part of
On 06/26/2011 02:50 AM, Ralph Holz wrote:
Which brings us to the next point: how do we measure improvement? What
we would need - and don't have, and likely won't have for another long
while - are numbers that are statistically meaningful.
On moz.dev.sec.policy, the proposal is out that CAs
On Mon, Jun 27, 2011 at 8:59 PM, Arshad Noor arshad.n...@strongauth.com wrote:
In 2008, I sent the following e-mail to my representatives and both
Presidential candidates:
http://seclists.org/dataloss/2008/q3/133
Its intent was to initiate a change in policy wrt breach disclosures.
There
Hi,
Any model that offers a security feature to a trivially tiny minority,
to the expense of the dominant majority, is daft. The logical
conclusion of 1.5 decades worth of experience with centralised root
lists is that we, in the aggregate, may as well trust Microsoft and the
other root
On 2011-06-26 7:50 PM, Ralph Holz wrote:
On moz.dev.sec.policy, the proposal is out that CAs need to publicly
disclose security incidents and breaches. This could actually be a good
step forward. If the numbers show that incidents are far more frequent
than generally assumed, this would get us
Hi,
The most common security breach is probably that a government or
powerful private group launches a man in the middle attack. Are CAs
going to report that? Seems unlikely.
The key word in your sentence is probably. Just how much is that?
I'm not saying I'm not with you in the general
On 06/25/2011 03:48 PM, Ian G wrote:
On 21/06/11 4:15 PM, Marsh Ray wrote:
This was about the CNNIC situation,
Ah, the I'm not in control of my own root list threat scenario.
See, the thing there is that CNNIC has a dirty reputation.
That's part of it. But there are some deeper issues.
On Sun, 26 Jun 2011, Marsh Ray wrote:
How about these questions:
When is a centralized root list necessary and when can it be avoided?
How can the quality of root CAs be improved?
How can the number of root CAs be reduced in general?
How can the number of root CAs be reduced in specific
On Sun, Jun 26, 2011 at 12:26:40PM -0500, Marsh Ray wrote:
[...]
Now maybe it's different for ISP core router admins, but the
existence of this product strongly implies that at least some admins
are connecting to their router with their web browser over HTTPS and
typing in the same password
On 06/26/2011 01:13 PM, The Fungi wrote:
On Sun, Jun 26, 2011 at 12:26:40PM -0500, Marsh Ray wrote: [...]
Now maybe it's different for ISP core router admins, but the
existence of this product strongly implies that at least some
admins are connecting to their router with their web browser over
On 26/06/11 5:50 AM, Ralph Holz wrote:
Hi,
Any model that offers a security feature to a trivially tiny minority,
to the expense of the dominant majority, is daft. The logical
conclusion of 1.5 decades worth of experience with centralised root
lists is that we, in the aggregate, may as well
On 06/26/2011 05:58 PM, Ian G wrote:
On 26/06/11 5:50 AM, Ralph Holz wrote:
- you don't want to hurt the CAs too badly if you are a vendor
Vendors spend all day long talking internally and with other vendors.
Consequently, they tend to forget who holds the real money.
For most healthy
On 21/06/11 4:15 PM, Marsh Ray wrote:
On 06/21/2011 12:18 PM, Ian G wrote:
On 18/06/11 8:16 PM, Marsh Ray wrote:
On 06/18/2011 03:08 PM, slinky wrote:
But we know there are still hundreds of
trusted root CAs, many from governments, that will silently install
themselves into Windows at
13 matches
Mail list logo
