On Thu, Sep 15, 2011 at 6:40 AM, Kevin W. Wall kevin.w.w...@gmail.com wrote:
[Note to moderator: May be slightly OT. Unfortunately, Gmail web interface
won't allow me to alter the Subject: to mention it there.]
[Note to gmail user: yes it will, Edit Subject right under the To box.
The DigiNotar breach made the IEEE Spectrum:
http://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands/?utm_source=techalertutm_medium=emailutm_campaign=091511
I only skimmed it and while I didn't see anything new, it is a
On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor arshad.n...@strongauth.com wrote:
However, an RP must assess this risk before trusting a self-signed
Root CA's certificate. If you believe there is uncertainty, then
don't trust the Root CA. Delete their certificate from your browser
and other
On 15/09/2011, at 15:40, Kevin W. Wall kevin.w.w...@gmail.com wrote:
Trust is not binary.
Right. Or, in modelling terms, trust isn't absolute.
AES might be 99.99% reliable, which is approximately 100% for any million
or so events [1].
Trust in a CA might be more like 99%.
Now, if we
On 16/09/2011, at 1:22, Andy Steingruebl a...@steingruebl.com wrote:
On Wed, Sep 14, 2011 at 7:34 PM, Arshad Noor arshad.n...@strongauth.com
wrote:
However, an RP must assess this risk before trusting a self-signed
Root CA's certificate. If you believe there is uncertainty, then
don't
On 09/15/2011 12:15 PM, Ian G wrote:
Trust in a CA might be more like 99%.
Now, if we have a 1% untrustworthy rating for a CA, what happens when
we have 100 CAs?
Well, untrust is additive (at least). We require to trust all the
CAs. So we have a 100% untrustworthy rating for any system of 100
On Thu, Sep 15, 2011 at 7:16 PM, Marsh Ray ma...@extendedsubset.com wrote:
Zooko said something the other day that has really stuck with me. I
can't get it out of my head, I hope he will give us a post to explain it
further:
https://twitter.com/zooko/status/108347877872500737
I find the word
Marsh Ray said this:
-+--
|
| Is this user's reliance dependency transitive? - Yes, obviously.
|
I agree with that. Can I ask if you agree with this?
The source of risk is dependence, perhaps especially
dependence on expectations of system state.
Thinking aloud,
I find the word trust confuses more than it
communicates. Try Mark S. Miller's relies on instead!
This reminds me... As many here will know, the DoD (Orange book, etc.) uses (or
at least used to use) the word trust explicitly in this latter sense. Any
component that handled multi-level data
