From: James A. Donald jam...@echeque.com
Not only is their lower class law abiding, their bankers and
bureaucrats, unlike ours are also law abiding.
From which it is evident that the death penalty *does* deter, both for
institutions and individuals.
Sub-Saharan Africa is in general hotter
Ian,
Actually, we thought about asking Mozilla directly and in public: how
many such CAs are known to them? I'd have thought that some would have
disclosed themselves to Mozilla after the communication of the past few
weeks. Your mail makes it seem as if that was not the case, or not to a
Well I am not sure how they can hope to go very far underground. Any and
all users on their internal network could easily detect and anonymously
report the mitm cert for some public web site with out any significant risk
of it being tracked back to them. Game over. So removal of one CA from a
Hi,
Well I am not sure how they can hope to go very far underground. Any and
all users on their internal network could easily detect and anonymously
report the mitm cert for some public web site with out any significant risk
of it being tracked back to them. Game over. So removal of one CA
My point is this - say you are the CEO of a CA. Do you want to bet your
entire company on no one ever detecting nor reporting the MITM sub-CA that
you issued? I wouldnt do it. All it takes is one savy or curious guy in a
10,000 person company.
Consequently if there are any other CAs that have
Hi,
On 02/14/2012 04:20 PM, Adam Back wrote:
My point is this - say you are the CEO of a CA. Do you want to bet
your entire company on no one ever detecting nor reporting the MITM
sub-CA that you issued? I wouldnt do it. All it takes is one savy
or curious guy in a 10,000 person company.
On 14/02/12 21:40 PM, Ralph Holz wrote:
Ian,
Actually, we thought about asking Mozilla directly and in public: how
many such CAs are known to them?
It appears their thoughts were none.
Of course there have been many claims in the past. But the Mozilla CA
desk is frequently surrounded by
On Feb 14, 2012, at 7:42 AM, ianG wrote:
On 14/02/12 21:40 PM, Ralph Holz wrote:
Ian,
Actually, we thought about asking Mozilla directly and in public: how
many such CAs are known to them?
It appears their thoughts were none.
Of course there have been many claims in the past. But
On 2/14/12 9:51 AM, Ralph Holz wrote:
If all users used a tool like Crossbear that does automatic reporting,
yes. But tools like that are a recent development (and so is
Convergence, even though it was predated by Perspectives).
Pardon my ignorance. Just tried to Google these, and cannot find
On Feb 14, 2012, at 1:16 23PM, Jon Callas wrote:
On Feb 14, 2012, at 7:42 AM, ianG wrote:
On 14/02/12 21:40 PM, Ralph Holz wrote:
Ian,
Actually, we thought about asking Mozilla directly and in public: how
many such CAs are known to them?
It appears their thoughts were none.
Of
On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote:
Hi,
Well I am not sure how they can hope to go very far underground. Any and
all users on their internal network could easily detect and anonymously
report the mitm cert for some public web site with out any significant risk
Hi,
If all users used a tool like Crossbear that does automatic reporting,
yes.
Not really -- and this I think goes to the root of why what was done here
is so evil.
[... many correct things omitted, sorry ...]
It is not so hard really to see the conceptual difference between the two
On Tue, Feb 14, 2012 at 09:13:11PM +0100, Ralph Holz wrote:
It is not so hard really to see the conceptual difference between the two
cases. But to tools like Crossbear, they basically look the same.
Why? Crossbear sends the full certificate chain it sees to the CB
server, where it is
Hi,
In both cases, Crossbear will detect a MITM device, yes? But in one
case, the device is authorized to sign for the entities it's signing
certificates for, and in the other, it's not.
This does not in any way diminish the usefulness of Crossbear as a tool
for detecting MITM devices.
On Tue, Feb 14, 2012 at 09:35:45PM +0100, Ralph Holz wrote:
As Crossbear's assessment is not something everyday users will
understand, we ourselves view Crossbear as the tool that, e.g., a
travelling security afficionado/hacker/interested person might want to
use, but not your average guy.
Hi,
As Crossbear's assessment is not something everyday users will
understand, we ourselves view Crossbear as the tool that, e.g., a
travelling security afficionado/hacker/interested person might want to
use, but not your average guy. Our goal is to find out how many Mitm
actually happen,
On 02/14/2012 02:56 PM, Ralph Holz wrote:
BTW, what we do not address is an attacker sending us many forged chains
and/or traces. We don't want clients have to register with our server
and obtain an identity. That's a sore point.
Aren't the certs of interest those that chain to a well-known
Hi,
BTW, what we do not address is an attacker sending us many forged chains
and/or traces. We don't want clients have to register with our server
and obtain an identity. That's a sore point.
Aren't the certs of interest those that chain to a well-known root?
So they could be validated,
On 2012-02-14 8:40 PM, Ralph Holz wrote:
issuing a death sentence to a CA who has
disclosed is counter-productive. It will drive the others deeper into
hiding.
You kno, I can't help but think of the resemblance to the real world
death penalty for humans - AFAICT it does not seem to deter
Hi,
You kno, I can't help but think of the resemblance to the real world
death penalty for humans - AFAICT it does not seem to deter criminals.
Singapore has approximately one hundredth to one thousandth the crime
rate of western democracies - near zero rapes, and dramatically fewer
On 2012-02-15 7:57 AM, Ralph Holz wrote:
You kno, I can't help but think of the resemblance to the real world
death penalty for humans - AFAICT it does not seem to deter criminals.
James A. Donald:
Singapore has approximately one hundredth to one thousandth the crime
rate of western
If this conversation on the death penalty gets taken offline,
take me along for the ride but it just doesn't seem germane
to crypto so I'm holding my tongue.
--dan
___
cryptography mailing list
cryptography@randombit.net
Hi all,
Kathleen at Mozilla has reported that she is having trouble dealing with
Trustwave question because she doesn't know how many other CAs have
issued sub-roots that do MITMs.
Zero, one, a few or many?
I've sent a private email out to those who might have had some direct
exposure. If
23 matches
Mail list logo