[138982] in North American Network Operators' Group
Re: The state-level attack on the SSL CA security model
daemon@ATHENA.MIT.EDU (George Herbert)
Thu Mar 24 17:44:56 2011
In-Reply-To: <27726811.0.1301002752950.JavaMail.franck@Macintosh-3.local>
Date: Thu, 24 Mar 2011 14:44:52 -0700
From: George Herbert <george.herbert@gmail.com>
To: Franck Martin <franck@genius.com>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck@genius.com> wrote:
>
>
> ----- Original Message -----
>> From: "Roland Dobbins" <rdobbins@arbor.net>
>> To: "nanog group" <nanog@nanog.org>
>> Sent: Friday, 25 March, 2011 9:33:27 AM
>> Subject: Re: The state-level attack on the SSL CA security model
>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>
>> > =A0Disclosure devalues information.
>>
>>
>> I think this case is different, given the perception of the cert as a
>> 'thing' to be bartered.
>>
>
> Isn't there any law that obliges company to disclose security breaches th=
at involve consumer data?
I don't think SSL certs are consumer data, per se.
Back on original point - if the *actual effective* model of browser
security is browsers with an internal revoked cert list - then there's
a case to be made that a pre-announcement in private to the browser
vendors, enough time for them to spin patches, and then widespread
public discussion is the most responsible model approach. The public
knowing before their browser knows how to handle the bad cert isn't
helpful, unless you can effectively tell people how to get their
browser to actually go verify every cert.
--=20
-george william herbert
george.herbert@gmail.com
