The state-level attack on the SSL CA security model

George Herbert george.herbert at
Thu Mar 24 16:44:52 CDT 2011

On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck at> wrote:
> ----- Original Message -----
>> From: "Roland Dobbins" <rdobbins at>
>> To: "nanog group" <nanog at>
>> Sent: Friday, 25 March, 2011 9:33:27 AM
>> Subject: Re: The state-level attack on the SSL CA security model
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>> >  Disclosure devalues information.
>> I think this case is different, given the perception of the cert as a
>> 'thing' to be bartered.
> Isn't there any law that obliges company to disclose security breaches that involve consumer data?

I don't think SSL certs are consumer data, per se.

Back on original point - if the *actual effective* model of browser
security is browsers with an internal revoked cert list - then there's
a case to be made that a pre-announcement in private to the browser
vendors, enough time for them to spin patches, and then widespread
public discussion is the most responsible model approach.  The public
knowing before their browser knows how to handle the bad cert isn't
helpful, unless you can effectively tell people how to get their
browser to actually go verify every cert.

-george william herbert
george.herbert at

More information about the NANOG mailing list