The state-level attack on the SSL CA security model

George Herbert george.herbert at gmail.com
Thu Mar 24 16:44:52 CDT 2011


On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck at genius.com> wrote:
>
>
> ----- Original Message -----
>> From: "Roland Dobbins" <rdobbins at arbor.net>
>> To: "nanog group" <nanog at nanog.org>
>> Sent: Friday, 25 March, 2011 9:33:27 AM
>> Subject: Re: The state-level attack on the SSL CA security model
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>
>> >  Disclosure devalues information.
>>
>>
>> I think this case is different, given the perception of the cert as a
>> 'thing' to be bartered.
>>
>
> Isn't there any law that obliges company to disclose security breaches that involve consumer data?

I don't think SSL certs are consumer data, per se.

Back on original point - if the *actual effective* model of browser
security is browsers with an internal revoked cert list - then there's
a case to be made that a pre-announcement in private to the browser
vendors, enough time for them to spin patches, and then widespread
public discussion is the most responsible model approach.  The public
knowing before their browser knows how to handle the bad cert isn't
helpful, unless you can effectively tell people how to get their
browser to actually go verify every cert.



-- 
-george william herbert
george.herbert at gmail.com




More information about the NANOG mailing list