Vulnerability Development mailing list archives
Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI
From: Pierre Vandevenne <pierre () datarescue com>
Date: Tue, 15 Aug 2000 22:01:57 +0200
On Tue, 15 Aug 2000 09:35:42 -0600, Eric Knight wrote:
picking a PKI SOA, and ruthlessly hammers various insecure practices that I've discovered in my comparison of all the firms.
That's the most interesting part indeed - not more than 8 characters... hmmm - :-) Other than that, on the substance... - it is yet another demonstration that a chain is only as strong as its weakest link. - is mail server compromise really needed ? I imagine simple sniffing could achieve the same result - one doesn't need to get the mail in mail format to use the information and as far as detection of the problem is concerned, it will be detected soon enough after the original key is revoked anyway - imho, it is again convenience vs security - assuming a government would handle the initial certification better, and they probably would, I wouldn't trust them more than the commercial entities if they started to implement a web interface to their databases. On the form... - you mix passphrase / password sometimes, with the result that I don't know which is which at some point see - Poor Password Problem, illustrated by a passphrase screen showing "do not use punctuation" - then at the table on the last page you say "user can pick any password" - yes for all organizations. As far as the real problem is concerned, I liked the approach taken by the global trust register much better - the different certification levels are not linked to the amount of money paid but to the amount of verifications carried out. http://www.cl.cam.ac.uk/Research/Security/Trust-Register/book.html --- Pierre Vandevenne - DataRescue sa/nv Home of the IDA Pro Disassembler http://www.datarescue.com/idabase/ida.htm
Current thread:
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Pierre Vandevenne (Aug 15)
- Re: Non-Mathmatical Forging of PKI Digital Certificates / Throwing Rocks at the PKI Eric Knight (Aug 15)