* Crist Clark:
Any large, well funded national-level intelligence agency
almost certainly has keys to a valid CA distributed with
any browser or SSL package. It would be trivial for the US
Gov't (and by extension, the whole AUSCANNZUKUS intelligence
community) to simply form a shell company
On 3/29/2011 at 12:30 AM, Florian Weimer fwei...@bfk.de wrote:
* Crist Clark:
Any large, well funded national-level intelligence agency
almost certainly has keys to a valid CA distributed with
any browser or SSL package. It would be trivial for the US
Gov't (and by extension, the whole
On 3/25/2011 at 2:21 AM, Florian Weimer fwei...@bfk.de wrote:
* Roland Dobbins:
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as
a 'thing' to be bartered.
Private keys have been
On Mar 26, 2011, at 12:21 12AM, Franck Martin wrote:
On 3/26/11 15:36 , Joe Sniderman joseph.snider...@thoroquel.org wrote:
On 03/25/2011 11:12 PM, Steven Bellovin wrote:
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the
On 25/03/2011 6:45 PM, valdis.kletni...@vt.edu wrote:
On Fri, 25 Mar 2011 09:19:52 PDT, Akyol, Bora A said:
One could argue that you could try something like the facebook model (or
facebook itself). I can see it coming.
Facebook web of trust app ;-)
Gee thanks. I'm going to have nightmares
* Roland Dobbins:
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as
a 'thing' to be bartered.
Private keys have been traded openly for years. For instance, when
your browser tells you
* George Herbert (george.herb...@gmail.com) wrote:
Back on original point - if the *actual effective* model of browser
security is browsers with an internal revoked cert list - then there's
a case to be made that a pre-announcement in private to the browser
vendors, enough time for them to
On Mar 25, 2011, at 5:21 PM, Florian Weimer wrote:
I can't see how a practice that is completely acceptable at the root
certificate level is a danger so significant that state-secret-like
treatment is called for once end-user certificates are involved.
Again, I don't know enough about what
Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net]
Sent: Thursday, March 24, 2011 3:28 AM
To: nanog group
Subject: Re: The state-level attack on the SSL CA security model
...
Unfortunately, the general public neither know, understand, or care about such
things. They happily click 'I
On Fri, 25 Mar 2011 08:36:12 PDT, Akyol, Bora A said:
Is it far fetched to supplement the existing system with a reputation based
model such as PGP? I apologize if this was discussed before.
That would be great, if you could ensure the following:
1) That Joe Sixpack actually knows enough
: Dobbins, Roland; nanog group
Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, Akyol, Bora A said:
Is it far fetched to supplement the existing system with a reputation
based model such as PGP? I apologize if this was discussed before.
That would
;-)
-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
Sent: Friday, March 25, 2011 9:05 AM
To: Akyol, Bora A
Cc: Dobbins, Roland; nanog group
Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, Akyol, Bora
: valdis.kletni...@vt.edu; nanog group
Subject: Re: The state-level attack on the SSL CA security model
Not entirely unreasonable. A button for friend and then one for trusted
friend :)
On Fri, Mar 25, 2011 at 12:19 PM, Akyol, Bora A b...@pnl.gov wrote:
One could argue that you could try something
On Fri, 25 Mar 2011 09:19:52 PDT, Akyol, Bora A said:
One could argue that you could try something like the facebook model (or
facebook itself). I can see it coming.
Facebook web of trust app ;-)
Gee thanks. I'm going to have nightmares for *weeks* now... :)
pgpFnAqnnEChi.pgp
Description:
Mozilla has now posted a more detailed accounting here..
Comodo Certificate Issue – Follow Up
03.25.11 - 08:39am
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/
=JeffH
[mailto:valdis.kletni...@vt.edu]
Sent: Friday, March 25, 2011 9:05 AM
To: Akyol, Bora A
Cc: Dobbins, Roland; nanog group
Subject: Re: The state-level attack on the SSL CA security model
On Fri, 25 Mar 2011 08:36:12 PDT, Akyol, Bora A said:
Is it far fetched to supplement the existing system
-level attack on the SSL CA security model
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a
'thing' to be bartered.
Isn't there any law that obliges company to disclose security
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook model (or
facebook itself). I can see it coming.
Facebook web of trust app ;-)
Except, of course, for the fact that people tend to have hundreds of friends,
many of whom
On 03/25/2011 11:12 PM, Steven Bellovin wrote:
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook
model (or facebook itself). I can see it coming. Facebook web of
trust app ;-)
Except, of course, for the fact that people
On 3/26/11 15:36 , Joe Sniderman joseph.snider...@thoroquel.org wrote:
On 03/25/2011 11:12 PM, Steven Bellovin wrote:
On Mar 25, 2011, at 12:19 52PM, Akyol, Bora A wrote:
One could argue that you could try something like the facebook
model (or facebook itself). I can see it coming.
* Dobbins, Roland (rdobb...@arbor.net) wrote:
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
Announcing this high and loud even before fixes were available would not
have exposed more users to threats, but less.
An argument against doing this prior to fixes being available is
On Mar 24, 2011, at 6:19 PM, Joakim Aronius wrote:
Surely the value of stolen certs are higher if the public do not know that
they exist.
A wider swathe of interested parties would know of their existence, and their
existence would be officially confirmed, which would make them more
* Roland Dobbins:
A wider swathe of interested parties would know of their existence,
and their existence would be officially confirmed, which would make
them more valuable.
This is at odds with what happens in other contexts. Disclosure
devalues information.
--
Florian Weimer
Harald Koch c...@pobox.com writes:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false sense
of
Harald Koch c...@pobox.com wrote:
This story strikes me as a success - the certs were revoked immediately, and
it took a surprisingly short amount of time for security fixes to appear all
over the place.
It would have been much easier if certificate revocation actually worked
properly.
On 24/03/11 10:09 -0400, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false sense
Which is especially funny since Comodo is citing the fact that they've
had no OCSP requests for the bad certs as evidence that they haven't
been used.
--Richard
On Thu, Mar 24, 2011 at 10:53 AM, Tony Finch d...@dotat.at wrote:
Harald Koch c...@pobox.com wrote:
This story strikes me as a
On Mar 24, 2011, at 7:09 AM, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing'
to be bartered.
---
Roland Dobbins rdobb...@arbor.net //
- Original Message -
From: Roland Dobbins rdobb...@arbor.net
To: nanog group nanog@nanog.org
Sent: Friday, 25 March, 2011 9:33:27 AM
Subject: Re: The state-level attack on the SSL CA security model
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues
On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin fra...@genius.com wrote:
- Original Message -
From: Roland Dobbins rdobb...@arbor.net
To: nanog group nanog@nanog.org
Sent: Friday, 25 March, 2011 9:33:27 AM
Subject: Re: The state-level attack on the SSL CA security model
On Mar 24
On Thu, Mar 24, 2011 at 7:09 AM, Harald Koch c...@pobox.com wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security,
To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false sense
of security.
Essentially a state somewhere between Iraq and Pakistan snatched valid
certs
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
Announcing this high and loud even before fixes were available would not have
exposed more users to threats, but less.
An argument against doing this prior to fixes being available is that
miscreants who didn't know about this previously
34 matches
Mail list logo
