Ian G [EMAIL PROTECTED] writes:
On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
Er, given that we have no OCSP and no-one's checking CRLs, I think
losing a root cert which is embedded in 99% of browsers out there would
be an _extremely_ big deal.
But
Anne Lynn Wheeler [EMAIL PROTECTED] writes:
several years ago, we did a survey of corporate databases for security
issues ... one was a field by field analysis of types of information
and the vulnerability. for instance ... any information where we could
find a business process that made use
Ian G wrote:
On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
Er, given that we have no OCSP and no-one's checking CRLs, I think
losing a root cert which is embedded in 99% of browsers out there would
be an _extremely_ big deal.
But OCSP/CRL can not help in
On Wednesday 25 May 2005 19:14, Anne Lynn Wheeler wrote:
Nelson B [EMAIL PROTECTED] writes:
Ah, I was wondering when paradoxes would enter this discussion.
CA self revocation: Everything I say is a lie.
I think not said Descartes, who promptly vanished.
the original scenario was that
Ian G [EMAIL PROTECTED] writes:
Sure, that's obvious. But, Lynn, can you shed any light on why the
standards didn't include a mechanism? You seem to be intimating
that the original PKI concept included it.
i have memory of the exchanges taking place about the protocol process
... i would
Anne Lynn Wheeler wrote:
Nelson B [EMAIL PROTECTED] writes:
Ah, I was wondering when paradoxes would enter this discussion.
CA self revocation: Everything I say is a lie.
I think not said Descartes, who promptly vanished.
the original scenario was that CA could only assert that they were
I thot discussion might have been pkix /or x9f related .. as an
easier step then starting to search my own archives ... i've
done a quicky web search engine ...
one entry in pkix thread
http://www.imc.org/ietf-pkix/old-archive-01/msg01776.html
here is recent m'soft article mentioning the
Anne Lynn Wheeler [EMAIL PROTECTED] writes:
also, i remember OCSP coming on the scene sometime after I had been
going for awhile about how CRLs were 1960s technology (and least in
the payment card business) before payment card moved into the
modern online world with online authentication
Duane wrote:
Without transparency there is no security...
I don't agree. Without transparency, you can't know how much security
you have.
Nevertheless, quoting aphorisms is not particularly helpful.
The process will acquire more transparency; there are plans afoot to
make that happen. But
Gervase Markham [EMAIL PROTECTED] writes:
I don't agree. Without transparency, you can't know how much
security you have.
Nevertheless, quoting aphorisms is not particularly helpful.
The process will acquire more transparency; there are plans afoot to
make that happen. But we had to start
Ian G wrote:
I hadn't seen that before. Currently I understand all
CAs to be in practice zero-accountable. Does anyone
know any different? Are there any payouts? Has a
CA ever been held to account?
On this point, I have noted that some CAs (e.g. XRamp) offer warranties
against fraudulent cert
Ian G wrote:
A CA root cert is no big deal. If it gets lost,
just mint another one and let everyone know
you lost it and to watch out for it.
Er, given that we have no OCSP and no-one's checking CRLs, I think
losing a root cert which is embedded in 99% of browsers out there would
be an
Duane wrote:
Why should something that will potentially effect all of us be shrouded
in such secracy, who has something to hide here? Security through
obscurity doesn't cut it, isn't that the exact oposite one of the
premises that's supposed to make open source software better?
Not all of the
On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
Er, given that we have no OCSP and no-one's checking CRLs, I think
losing a root cert which is embedded in 99% of browsers out there would
be an _extremely_ big deal.
But OCSP/CRL can not help in case of
Ian,
Ian G wrote:
But OCSP/CRL can not help in case of *root* cert compromission.
There's nothing above it to sign the validity information.
Can't it revoke itself?
This is priceless and one for the books. This statement shows that you
really don't understand PKI !
Revocation checks cannot be
Frank Hecker wrote:
As I've said before, I don't think use of certs in general and SSL in
particular should be artificially constrained to fit the perceived
requirements of the Internet e-commerce market. To get back to Gerv's
draft paper, I think his discussion is consistent with that
On Thursday 12 May 2005 06:19, Duane wrote:
Actually the funniest thing was said the other day, Mark Shuttleworth
came out and said the root certificate for Thawte was kept in his
underpants draw for the first 2 years of operation. Needless to say the
audience was in stitchs over that one...
On Thursday 12 May 2005 13:28, Duane wrote:
Ian G wrote:
The most important thing that the browser UI
can do is to promote more SSL. If twice as
many people use SSL but it has a slight
vulerability, that's much better than perfect
system that is only used by half as many.
I agree
On 5/12/05, Ian G [EMAIL PROTECTED] wrote:
You
surely don't believe all those stories about
m of n copies distributed in hardened bunkers...
With all due respect I believe the thinks I can confirm even when you
know better. Would you say I am picky about being sure that things are
false.
On Tuesday 10 May 2005 18:09, Jean-Marc Desperrier wrote:
Gervase Markham wrote:
As an example (and I don't know of anyone who is actually suggesting
this), what if we made all CAs who issued non-zero accountability certs
post a $1,000,000 bond against losses from phishing attacks performed
On Wednesday 11 May 2005 02:05, Ram A Moskovitz wrote:
Gerv, are you or MF required to sign an NDA of anykind to attend?
A good point! And one that shouldn't have needed to
be asked, but given recent revelations about Mofo's
private revenue arrangements (for good or for bad), I
guess this is
Frank Hecker wrote:
Per my above comments, if I do end up going to this meeting with Gerv,
don't expect to see me publishing a detailed report on any discussions.
However if I have time in the next few weeks I will post any relevant
thoughts I have in reference to the general issues
Duane wrote:
This is being touted as representative of the CA and
browser communities/vendors, when I'm guessing it's only encompassing a
very finite view of security based around monetary value of it alone. As
pointed out in the past (by yourself as well), browser SSL/TLS security
extends beyond
Frank Hecker wrote:
Well, *I'm* not touting this as fully representative of the CA and
I never meant to imply you did, my apologies...
I have received a 1 page email from Steve @ Comodo that said the same
thing as Gerv's email did in one line, we're not telling you who's
coming other then
Gervase Markham wrote:
As an example (and I don't know of anyone who is actually suggesting
this), what if we made all CAs who issued non-zero accountability certs
post a $1,000,000 bond against losses from phishing attacks performed
using their certs? Would you consider that a lockout measure?
On 5/10/05, Duane [EMAIL PROTECTED] wrote:
Gervase Markham wrote:
At the moment, I've been asked not to say who has been invited apart
from us and Comodo (the organisers). I assume I will be able to, either
closer to the time or afterwards.
Why should something that will potentially
a paper called
Improving Authentication On The Internet:
http://www.gerv.net/security/improving-authentication/
It starts with the basics, mostly as a way to confirm that my
understanding of the current situation is correct. All comments, both
correcting my facts and giving alternative views
Gervase Markham wrote:
On the 17th of this month, at the invitation of Comodo, the major CAs
and browser vendors (including mozilla.org) are having a meeting in New
York to discuss some of the issues surrounding the future of SSL and
trust on the Internet.
What CAs were/are invited to attend?
28 matches
Mail list logo