Re: The state-level attack on the SSL CA security model

[George Herbert <george.herbert () gmail com>]

On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck () genius com> wrote:
> ----- Original Message -----
> > From: "Roland Dobbins" <rdobbins () arbor net>
> > To: "nanog group" <nanog () nanog org>
> > Sent: Friday, 25 March, 2011 9:33:27 AM
> > Subject: Re: The state-level attack on the SSL CA security model
> > On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
> >
> > >  Disclosure devalues information.
> >
> >
> > I think this case is different, given the perception of the cert as a
> > 'thing' to be bartered.
>
> Isn't there any law that obliges company to disclose security breaches that involve consumer data?

I don't think SSL certs are consumer data, per se.

Back on original point - if the *actual effective* model of browser
security is browsers with an internal revoked cert list - then there's
a case to be made that a pre-announcement in private to the browser
vendors, enough time for them to spin patches, and then widespread
public discussion is the most responsible model approach.  The public
knowing before their browser knows how to handle the bad cert isn't
helpful, unless you can effectively tell people how to get their
browser to actually go verify every cert.



-- 
-george william herbert
george.herbert () gmail com