[14253] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: End of the line for Ireland's dotcom star

daemon@ATHENA.MIT.EDU (Peter Gutmann)
Tue Sep 23 21:48:07 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 24 Sep 2003 10:38:18 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, jya@pipeline.com

John Young <jya@pipeline.com> writes:

>Who at Baltimore, or was once there, is likely to be able to account for the
>security of the certs for customers who still rely upon them? Not somebody to
>spin a fairy tale, but to truthfully explain what Baltimore has done to avoid
>betraying the trust of its customers, or handing that trust over to others who
>may not have Baltimore's scruples or be bound by its promises.

Is it really that big a deal though?  You're only ever as secure as the *least
secure* of the 100+ CAs automatically trusted by MSIE/CryptoAPI and Mozilla,
and I suspect that a number of those (ones with 512-bit keys or moribund web
sites indicating that the owner has disappeared) are much more of a risk than
the GTE/Baltimore/beTRUSTed/whoever-will-follow-them succession.

The real lesson of this, I think, is the observation that "The company would
have done better to concentrate on making its core PKI technology easier to
deploy", which applies to most other PKI vendors and products as well.
Baltimore had the bizarre business strategy of using revenue from its PKI
products as a means of driving/funding work in its other product branches,
which is a bit like a drowning man going for a boat anchor as his most likely
flotation device.

Peter (curently flooded with Linux VPN mail, please be patient).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post