IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Rob Stradling <rob.stradling@comodo.com> Thu, 01 November 2012 20:13 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27DA721F89D0 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.339
X-Spam-Level:
X-Spam-Status: No, score=-6.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1usul1oBseFn for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:13:03 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id AF0EA21F85AE for <therightkey@ietf.org>; Thu, 1 Nov 2012 13:13:02 -0700 (PDT)
Received: (qmail 26303 invoked from network); 1 Nov 2012 20:12:53 -0000
Received: from ian1.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 1 Nov 2012 20:12:53 -0000
Received: (qmail 10663 invoked by uid 1000); 1 Nov 2012 20:12:53 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Thu, 01 Nov 2012 20:12:53 +0000
Message-ID: <5092D7C4.6020009@comodo.com>
Date: Thu, 01 Nov 2012 20:12:52 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <alpine.BSF.2.00.1211010935330.60568@hiroshima.bogus.com> <CAMm+LwjQiJ3aWpAYdy1hxtf09Sf=4g9AO=r-PihSPVkc8PMLkg@mail.gmail.com> <5092B8C4.3070607@cs.tcd.ie> <CABrd9SRKuo-VW6AHapz0NogKSGmcXXtRomTh1bvZudaB5q-GTQ@mail.gmail.com> <CAMm+LwhxLYhEJ213AmvTo6cCfPRq_0X1hxJx1vN13nfxkBWLiw@mail.gmail.com> <CABrd9ST3=4b73jDZb=Cxq6L_+2z7ExCKcY-ywBiD5hW98uAWBw@mail.gmail.com> <CAMm+Lwh3KeAXibf+vE9KW+JJ7XaUSDMkstcTp-LDwCQe7QX8Mg@mail.gmail.com> <5092D644.5020909@comodo.com>
In-Reply-To: <5092D644.5020909@comodo.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Lucy Lynch <llynch@civil-tongue.net>, Ben Laurie <benl@google.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 20:13:11 -0000

On 01/11/12 20:06, Rob Stradling wrote:
> On 01/11/12 20:01, Phillip Hallam-Baker wrote:
>> OK so some examples do exist. But really what proportion of real world
>> compromises do not involve something bone headed like using a 512 bit
>> key for DKIM signatures?
>>
>> What I am saying here is not 'don't do CT', I am saying that we have to
>> make the ease of administration a high priority in the design.
>
> I would say that "ease of administration" for server operators is one of
> the main reasons why Ben is interested in getting CAs to participate!  ;-)

I'm not saying that CA participation in CT will magically make 
administration easy.  ;-)

I am suggesting that having no extra steps to perform is probably 
_easier_ than having some extra steps to perform.

>> On Thu, Nov 1, 2012 at 3:52 PM, Ben Laurie <benl@google.com
>> <mailto:benl@google.com>> wrote:
>>
>>     On 1 November 2012 18:38, Phillip Hallam-Baker <hallam@gmail.com
>>     <mailto:hallam@gmail.com>> wrote:
>>      > Again, does it appear so subtle after it has been discovered?
>>
>>     Well, I find I have to remind myself how it works. So ... yeah.
>>
>>     Also, I assumed Bliechanbacher was the exponent 3 thing, which was
>>     also pretty subtle.
>>
>>      >
>>      > Would the flaw have been discovered sooner if there was not so
>>     much dead
>>      > code?
>>
>>     I don't think dead code had any influence on either of these.
>>
>>      >
>>      >
>>      > On Thu, Nov 1, 2012 at 2:35 PM, Ben Laurie <benl@google.com
>>     <mailto:benl@google.com>> wrote:
>>      >>
>>      >> On 1 November 2012 18:00, Stephen Farrell
>>     <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>>
>>      >> wrote:
>>      >> >
>>      >> >
>>      >> > On 11/01/2012 05:22 PM, Phillip Hallam-Baker wrote:
>>      >> >> Having worked in Web security over 20 years now, I have still
>>     to see a
>>      >> >> case
>>      >> >> where a system was breached because of a really subtle design
>>     flaw.
>>      >> >
>>      >> > Bleichenbacher?
>>      >>
>>      >> TLS renegotiation?
>>      >>
>>      >> >
>>      >> > S.
>>      >> > _______________________________________________
>>      >> > therightkey mailing list
>>      >> > therightkey@ietf.org <mailto:therightkey@ietf.org>
>>      >> > https://www.ietf.org/mailman/listinfo/therightkey
>>      >
>>      >
>>      >
>>      >
>>      > --
>>      > Website: http://hallambaker.com/
>>      >
>>
>>
>>
>>
>> --
>> Website: http://hallambaker.com/
>>
>>
>>
>> _______________________________________________
>> therightkey mailing list
>> therightkey@ietf.org
>> https://www.ietf.org/mailman/listinfo/therightkey
>>
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

v2.23.0 | Report a Bug | By Email