[139014] in North American Network Operators' Group
Re: The state-level attack on the SSL CA security model
daemon@ATHENA.MIT.EDU (Florian Weimer)
Fri Mar 25 05:21:27 2011
To: nanog group <nanog@nanog.org>
From: Florian Weimer <fweimer@bfk.de>
Date: Fri, 25 Mar 2011 09:21:22 +0000
In-Reply-To: <67A80530-F81B-41B7-A7B3-5B1131A8F8C4@arbor.net> (Roland
Dobbins's message of "Thu\, 24 Mar 2011 21\:33\:27 +0000")
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Roland Dobbins:
> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>
>> Disclosure devalues information.
> I think this case is different, given the perception of the cert as
> a 'thing' to be bartered.
Private keys have been traded openly for years. For instance, when
your browser tells you that a web site has been verified by "Equifax"
(exact phrasing in the UI may vary), it's just not true. Equifax has
sold its private key to someone else long ago, and chances are that
the key material has changed hands a couple of times since.
I can't see how a practice that is completely acceptable at the root
certificate level is a danger so significant that state-secret-like
treatment is called for once end-user certificates are involved.
--=20
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
