thanks!
Michael
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Ian G writes:
It is not a new observation that the original threat modelling had flaws you
could drive a truck through :)
You forgot to mention what the SSL/browser PKI threat model actually is, as
first pointed out by some guy called Grigg:
SSL/browser PKI is defined to be the solution.
Marsh Ray writes:
>He wants credit for saving the world from PKI!
He should get it. A number of security practitioners have been trying to tell
the world for more than a decade that this stuff, you know, doesn't actually,
well, work. Whoever's behind this has now made it impossible (or at leas
(As far as I know, Apple has not fixed their desktop/server software
either. The folks that have to deal with it are still hacking
solutions [1]. Its not a big surprise, since Apple's PKI appears to be
generally broken from a programmer's perspective [2]).
http://www.pcworld.com/businesscenter/art
On 2011-09-07 14:47, Ian G wrote:
[...the original
> security requirement was to protect Credit cards. Only. Which have a
> known value range, a loss model, an insurance model, institutions
> already at arms to protect Robbie Relier.
>
> So, when people started using SSL for other purposes (emai
On 2011-09-07 16:13, d...@geer.org wrote:
> Peter (or anyone) -- would you comment on the existence and
> practice of "bridge CAs" please? Extra credit (as in "thank
> you") for its plausible role in public clouds.
Dan,
Bridge CAs serve to graft a new top-level root above a preexisting set
of roo
<~offtopic>
For color w.r.t. Thawte, see
http://www.markshuttleworth.com/biography
FWIW, Shuttleworth's attorney for the acquisition was Stewart Baker.
--dan
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman
>Thawte is part of Verisign, that is a spin-off from RSA Security.
They were an independent company in South Africa with operations in
the US and other places. Verisign bought them in 2000. I never heard
of them having any connection to RSA, which has always been in the US.
I presume that Veris
On 09/07/2011 04:13 PM, d...@geer.org wrote:
Peter (or anyone) -- would you comment on the existence and
practice of "bridge CAs" please? Extra credit (as in "thank
you") for its plausible role in public clouds.
Two of the best-known Bridge CAs are the Federal Bridge CA, a
component of the F
|
| It has been suggested that we need a kind of meta-CA or CA for CAs (CACA).
| Then the browser vendors could code CACA into the browsers, and we'd all be
| trusting in CACA.
|
| Or maybe we already are.
|
Peter (or anyone) -- would you comment on the existence and
practice of "bridge
[Adding a cc: to observatory. I am not a big fan of cross posting, but
there are two virtually identical discussions taking place on the
Cryptography and SSL Observatory mailing lists].
Folks,
After writing my "Diginotar Lessons Learned (long)" post yesterday to
the Cryptography mailing list, I br
On 8/09/11 6:02 AM, I wrote:
H I'm not sure I'd suspend issuance without some evidence.
On 8/09/11 6:13 AM, Franck Leroy wrote, coz he checked the source!:
>
> http://pastebin.com/GkKUhu35
>
> extract:
>
> Third: You only heards Comodo (successfully issued 9 certs for me -
> thanks by t
On 09/07/2011 02:34 PM, Fredrik Henbjork wrote:
http://www.globalsign.com/company/press/090611-security-response.html
This whole mess just gets "better and better"...
What's interesting is how the attacker simply doesn't fit the expected
motivations that SSL cert-based PKI was ever sold as def
On 8/09/11 5:34 AM, Fredrik Henbjork wrote:
http://www.globalsign.com/company/press/090611-security-response.html
This whole mess just gets "better and better"...
"As a responsible CA, we have decided to temporarily cease issuance of
all Certificates until the investigation is complete.
http://www.globalsign.com/company/press/090611-security-response.html
This whole mess just gets "better and better"...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Marsh Ray writes:
>Do we need then a whole spectrum of "Super Validation", "Hyper Validation",
>and "Ludicrous Validation" to address the ridiculous deficiencies found in
>these current pwned EV CAs?
It has been suggested that we need a kind of meta-CA or CA for CAs (CACA).
Then the browser vend
On 09/07/2011 10:00 AM, Peter Gutmann wrote:
Ian G writes:
Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
Actually I'm not sure that DigiNotar was "the bottom", since they seem to have
been somewhat careful about the certs they issued. "The bottom" is the cert
Ian G writes:
>Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar.
Actually I'm not sure that DigiNotar was "the bottom", since they seem to have
been somewhat careful about the certs they issued. "The bottom" is the cert
vending machines that will issue a cert to abso
On 7/09/11 7:34 AM, Fredrik Henbjork wrote:
Here's another gem related to the subject. In 2003 CAcert wished to have
their root certificate added to Mozilla's browser, and in the resulting
discussion in Bugzilla, Mozilla cryptodeveloper Nelson Bolyard had the
following to say:
"I have no opinio
Thawte is part of Verisign, that is a spin-off from RSA Security.
Am I right?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
20 matches
Mail list logo
