show stopper for SNI at the moment, but
(b) is not so problematic due to the internal automation that is likely to be a
pre-requisite for managing many certificates across multiple locations.
I appreciate the chance to participate in the discussion. We're very open to
considering the risks, and not afraid to make changes based on feedback like
this. From my call with Edgecast I can tell you they feel the same way, and
they're willing to make changes to improve.
All the best,
Paul Tiemann
CTO, DigiCert, Inc.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
on files you received after that date.
I like that idea, as long as a verifiable timestamp is included.
Without a trusted timestamp, would the bad guy be able to backdate the
signature?
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
w chapters about building a
balanced scorecard to measure your operations from more perspectives than just
dollars and cents.
When I read that nist.gov link, the joke about the spherical cow popped into my
head.
Paul Tiemann
(DigiCert)
-
take up a cause like that. The security
community could encourage it maybe? Put a Paypal button on there. I know a
lot of people who would donate money.
Looks like at least one site is out there: http://ie6update.com/ but has no
Paypal donate button, and doesn't offer newcomers the
he browsers don't really do
different things based on the reason code anyway (to my knowledge)
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
n't do this.
Many CDNs just serve up static (non-origin cached, no POST support) sites.
>> I've spoken with my contacts at Edgecast, and they expressed that they're
>> very willing to consider alternate approaches.
>
> I'm not actually sure what the "fix
commendation is to emulate the success of SSH, but in a browser-y,
> gentle-compliance-with-the-status-quo-where-safe way.
>
> https://docs.google.com/present/view?id=df9sn445_206ff3kn9gs
Great slides! The TOFU/POP is nice, and my
aware of the risks and to verify that we don't only rely on automated
forms of verification. I really appreciated the call--it felt like my chance
to talk to a rock star.
All the best,
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
or "not valid certificate" was explicitly excluded from
> OCSP because that's not how things are supposed to be done).
True for off-the-shelf OCSP responders that base themselves on CRL.
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
't say yes or no, it doesn't matter whether
> the response is coming from a live database or a month-old CRL, since it's
> still a fully CRL-bug-compatible blacklist I can trivially avoid it with a
> manufactured-cert attack.
You're right: a manufactured-cert attack
eck attempt (connection refused, socket timeout, etc) as a success.
What it ought to do is try the CRL(s) listed in the certificate too, and if
both don't work then it really ought to error.
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
e Possession of your Error; and by such a Manner you can seldom hope to
recommend your self in pleasing your Hearers, or to persuade those whose
Concurrence you desire.
(Part One of The Autobiography of Benjamin Franklin, 1793; from The Library of
America edition of Benjamin Franklin: Writings, 19
12 matches
Mail list logo
