Comments: PKI and SSL - the jaws of trust snap shut

possibly minor reference to the "last great dataprocessing IT party" ... which was news article referencing the IBM party at RSA 2000 held at San Jose coliseum ... old post about the party:
http://www.garlic.com/~lynn/2006r.html#15

Posted by Lynn Wheeler at February 10, 2012 10:31 AM

I was lucky enough to attend a talk by Moxie Marlinspike on these issues a couple of weeks back. He's developed a tool called Convergence to deal with the issues. It's not perfect, but it's mostly better than what we have at the moment.

http://convergence.io

I'd love to hear your views on the approach?

Posted by Chris Swan at February 10, 2012 11:10 AM

for slight topic drift ... comments just now
http://www.garlic.com/~lynn/2012b.html#70

on this

Four Sources of Trust, Crypto Not Scaling
http://www.phibetaiota.net/2012/02/john-robb-four-sources-of-trust-crypto-not-scaling/

Why The Global System is Killing Trust
http://globalguerrillas.typepad.com/globalguerrillas/2012/02/why-the-global-system-is-killing-trust.html

Posted by Lynn Wheeler at February 10, 2012 12:12 PM

The thing that has always bugged me about the HTTPS everywhere movement is exactly this - what's the point of creating an illusion of privacy when it's reasonable to assume that your employer or a government agency acting through a compliant ISP is monitoring your activities in any case?

I *don't* trust my employer and most of my browsing at work is done through an SSH tunnel. I don't care about CAs or SSL issues at that level.

But fundamentally if I can't trust financial transactions, that's a different matter altogether.

OT - is it possible to fix the formatting in your RSS feed?

thanx

Steve

Posted by Steve Wart at February 10, 2012 12:32 PM

The "lost business" to all of these dependent government departments would be minimal if they simply purchased new certificates from another CA to replace their Trustwave ones. Any business with any sense would be replacing their certificates with non-Trustwave ones right now, in preparation for the possibility of Trustwave's CA being pulled from browsers.

Therefore, I don't see how this can be used as a strong argument for keeping Trustwave's CA being trusted.

Posted by Martin Smith at February 11, 2012 02:56 AM

@Martin Smith
During the DigiNotar debacle, hundreds of applications had DigiNotar certificates hard-coded; because the certificates where (along with other things) used by the tax department all digital tax information submission was hampered. It also caused great problems for Justice, since they also used these certificates. Because there is an extensive procedure for special certificates and a limited number of approved authorities for these purposes in the Netherlands, it took months to replace them all.

Posted by Johan at February 11, 2012 04:47 PM

"Trustwave"? More like "Trustwaive" amirite?

Unlike the other popular browser vendors, Mozilla claims to operate for the benefit of its users. I don't see how they can credibly avoid dropping this CA, although I expect them to delay the process for months in order to avoid punishing the mostly guilty.

Posted by Jess at February 14, 2012 01:24 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x5602b6919fb0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.