Full Disclosure mailing list archives
Re: Expired certificate
From: "Elazar Broad" <elazar () hushmail com>
Date: Mon, 02 Aug 2010 12:36:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <snip> Can't you? The world is full of unpatched systems. You can even find systems where patches are not installed because it is running a piece of mission critical software and they would lose support if they installed any patches (I am not making this up). </snip> Spot on. I know of one large accounting/ERP system(which shall remain nameless, though I am sure there are those out there who have come across it) that checked the SQL version, including the revision number at runtime, which made patching SQL impossible. On Sun, 01 Aug 2010 15:38:46 -0400 Pavel Kankovsky <peak () argo troja mff cuni cz> wrote:
On Sun, 25 Jul 2010, Dan Kaminsky wrote:So... no one is doing revocation checking and expiration isevil.How are we supposed to get rid of invalid certificates?Ask me that in a few days ;)Has one week been enough for you? :)So nobody will sell you a name constrained certificate. It'salmostlike there are serious implementation issues with the extensionin thefield.Obviously not serious enough to prevent their use by US Federal Bridge CA. See <http://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf>Absolutely correct. Whatever world X.509 is great for, it sureain'tthis one.Governments and big companies *are* hierarchical and bureacratic and X.509 was developed for them.Patch management involves the same thing being put on differenthosts,and there's really no choice -- you can't run an infrastructurewithoutmaintaining it, on some timescale anyway.Can't you? The world is full of unpatched systems. You can even find systems where patches are not installed because it is running a piece of mission critical software and they would lose support if they installed any patches (I am not making this up).Certificate management involves different things being put ondifferenthosts, [...]This is a red herring. When you have got a bag of certificates, it is trivial to pick the right certificate for every host and check it automatically both before and after deployment. And everything else but the bits (place where the cert is installed, services that need to be restarted etc.) can stay identical.[...] and there's totally a choice -- you can simply not have a certificate at all.Yes. And you can teach your users to check all server public keys manually. You can also make a choice to send everything in cleartext and set all passwords to "123456" because it will make your life much easier.To paraphrase another quote, "X.509 never fails, only X.509deployers." I do not say X.509 never fails, I questionYou know, it's strange. I never hear stories about networksbeing takendown for nonpayment of electric bills, but we have straight upUIsupport for certificate errors. Why do you think that is?There are various cases of epic fails related to electric bills but I admit I have not found a clear example affecting IT infrastructure directly. Replace interrupted power supply with expired domain registration and you'll be able to find dozens of incidents, all of them affecting IT for obvious reasons--and some of them involving big names like Microsoft and Google. -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21st century edition / _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkxW9BUACgkQi04xwClgpZiFcAP+OdK2LXgk4IWqZYOMSBRGnMw7yM8N j70MmuihfrvK6q2wyhPtizhnldqX3sWCKhhyHgZbkEUhEtiiOkycKf4x42CO/+dqxzAU xufzLA6paJrf4ugyCPd7xZteEpgKmSFOQVtt8IZV3ttdEbQ4kRpVmdpa5dtWRRBq0b9q DeB2GwI= =5IDt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Expired certificate Pavel Kankovsky (Aug 01)
- <Possible follow-ups>
- Re: Expired certificate Elazar Broad (Aug 02)
- Re: Expired certificate Paul Schmehl (Aug 04)
- Re: Expired certificate Marsh Ray (Aug 04)
- Re: Expired certificate Charles Morris (Aug 04)
- Re: Expired certificate Paul Schmehl (Aug 04)
- Re: Expired certificate Leif Nixon (Aug 31)