[139049] in North American Network Operators' Group

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: The state-level attack on the SSL CA security model

daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Mar 25 15:49:31 2011

From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTikofUP6aky2K0ziW0vGfh-Bqo8dOzv-wzUk0up6@mail.gmail.com>
Date: Fri, 25 Mar 2011 12:46:38 -0700
To: George Herbert <george.herbert@gmail.com>
Cc: nanog group <nanog@nanog.org>, Franck Martin <franck@genius.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


On Mar 24, 2011, at 2:44 PM, George Herbert wrote:

> On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck@genius.com> =
wrote:
>>=20
>>=20
>> ----- Original Message -----
>>> From: "Roland Dobbins" <rdobbins@arbor.net>
>>> To: "nanog group" <nanog@nanog.org>
>>> Sent: Friday, 25 March, 2011 9:33:27 AM
>>> Subject: Re: The state-level attack on the SSL CA security model
>>> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>>>=20
>>>>  Disclosure devalues information.
>>>=20
>>>=20
>>> I think this case is different, given the perception of the cert as =
a
>>> 'thing' to be bartered.
>>>=20
>>=20
>> Isn't there any law that obliges company to disclose security =
breaches that involve consumer data?
>=20
> I don't think SSL certs are consumer data, per se.
>=20
No, but, a weak SSL cert in use by your company could disclose
consumer data due to its weakness.


Owen

home	help	back	first	fref	pref	prev	next	nref	lref	last	post