nanog mailing list archives
RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
From: Hank Nussbacher <hank () efes iucc ac il>
Date: Mon, 12 Sep 2011 08:22:46 +0300
At 13:00 11/09/2011 -0600, Keith Medcalf wrote:
Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust.And therein is the root of the problem: Trustworthiness is assessed by what you refer to as the "browser vendors". Unfortunately, there is no Trustworthiness assessment of those vendors.The current system provides no more authentication or confidentiality than if everyone simply used self-signed certificates. It is nothing more than theatre and provides no actual security benefit whatsoever. Anyone believing otherwise is operating under a delusion.
The problem is about lack of pen-testing and a philosphy of security. In order to run a CA, one not only has to build the infrastructure but also have constant external pen-testing and patch management in place. Whether it be Comodo or RSA or now Diginotar, unless an overwhelming philosphy of "computer and network security" is paradigmed into the corporate DNA, this will keep happening - and not only to CAs but to the likes of Google, Cisco, Microsoft, etc. (read - APT attacks).
If 60% of your employees will plug in a USB drive they find in the parking lot, then you have failed:
http://www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.htmlThe problem for us as a community if to find a benchmark of which company "does have a clue" vs those that don't. Until then, it will just be whack-a-mole/CA.
-Hank
--- Keith Medcalf () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Keith Medcalf (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Robert Bonomi (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Christopher Morrow (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Mike Jones (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Valdis . Kletnieks (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Eliot Lear (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jason Duerstock (Sep 12)
- Re: DANE and DNSSEC, was Microsoft deems all DigiNotar John Levine (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Eliot Lear (Sep 12)