On Tue, Apr 14, 2015 at 07:51:24AM -0500, Peter Kurrasch wrote:
> So, to paraphrase, the security benefit to CT is on par with posting speed
> limits along a highway: if you're going to break the rules, don't get
> caught.
I think that's a very bad analogy. The way the *entire* world works is "if
On Tue, Apr 14, 2015 at 01:38:55PM +0200, Kurt Roeckx wrote:
> On 2015-04-14 01:15, Peter Kurrasch wrote:
> >Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov and
> >let's further suppose that CNNIC includes this cert in the CT data since
> >they have agreed to do that. Wha
So basically we have: if you mis-issue an end-entity cert and don't update the
CT logs, the cert won't work; mis-issue the cert and update the logs with the
mis-issuance and everything works just fine.
As you say, someone might notice it and say something but there is also a
chance that nobody
On Thursday, March 19, 2015 at 1:02:06 PM UTC-7, Peter Bowen wrote:
> On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson wrote:
> > I propose removing the following root cert from NSS, due to inadequate audit
> > statements.
> >
> > Issuer:
> > CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayici
I'm not sure I agree with this metaphor because someone still will review the
speed camera data and pass judgment. Who will be doing that for CT? The other
problem is that in a speed camera situation there is a documented procedure for
dealing with violators.
Has anyone made a public commitmen
On 14/04/15 13:09, Kurt Roeckx wrote:
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in t
I am coming to the conclusion that 'Why fix X when the attacker can do
Y so lets not bother with X' is the worst form of security argument.
No security control is a magic bullet. Expecting the control that
addresses X to also address Y is unreasonable. It is an excuse for
inaction.
CT is merely o
Peter, CT is a detection mechanism, so I'd say it's more like a speed
camera than a speed limit. If a speed camera catches you speeding, then
it's done its job. If the relevant authorities decide to let you off
the hook, that doesn't mean that the speed camera was ineffective!
On 14/04/15 13
On 14/04/15 00:15, Peter Kurrasch wrote:
> Let's use an example. Suppose CNNIC issues a cert for
> whitehouse[dot]gov
presumably without permission ;-)...
> and let's further suppose that CNNIC includes this
> cert in the CT data since they have agreed to do that. What happens
> next?
If no
Breaking this part of the discussion out of the CNNIC thread
So, to paraphrase, the security benefit to CT is on par with posting speed
limits along a highway: if you're going to break the rules, don't get caught.
And if you do get caught, have a good excuse--although in the case of CT there
On 14/04/15 01:19, Matt Palmer wrote:
> I'm not a fan of browser-imposed name constraints on CAs, at a philosophical
> level. An important principle of the Mozilla root program, IMO, is that it
> works for the public good (insofar as "the public" is represented by "users
> of Mozilla products").
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens next?
What I've been
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov and
let's further suppose that CNNIC includes this cert in the CT data since they
have agreed to do that. What happens next?
What I've been wondering about is whether we need a
14 matches
Mail list logo
