IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Phillip Hallam-Baker <hallam@gmail.com> Thu, 01 November 2012 20:01 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 523EF21F95C8 for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:01:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.522
X-Spam-Level:
X-Spam-Status: No, score=-3.522 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGHpx5hPjSBC for <therightkey@ietfa.amsl.com>; Thu, 1 Nov 2012 13:01:03 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7BEF221F95C7 for <therightkey@ietf.org>; Thu, 1 Nov 2012 13:01:03 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id v19so3172669obq.31 for <therightkey@ietf.org>; Thu, 01 Nov 2012 13:01:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=to9sAZYtEfkJHgnnDWDQN1K25s8qrNG/2GX2ih2s6aI=; b=qwQvyLsnUJJ2RV+Djn9EccoTFhj1SYVBG2N6bsT/gASQS4Kwxt5/7hIbZ99VcQS9tH 4EQAvetjtS03lSGfJ8fJvxvmpU94A8sw+NPmZWSe5Y8h0rHiLyIxJh2qpJmVQsUJYFIX B6y+VFnBfG3wT4V9VUhP2gk4CmgS964REFXFXJt3USmONwqjAtHS/iMuMatA9b9NYHMl jkwspc0DFKDoBgGLg5PITxEGsVHadAIZS712CGOOVpEn9FxIHznMpXFoaQedaLhbWz55 CclwFuQ/diI3/Xy2wsG4Xb1C1T+VfQeRfQOBeU0cwEnelAfqiz0T1LxBuX8feMTc3cxG gVoQ==
MIME-Version: 1.0
Received: by 10.60.36.73 with SMTP id o9mr1043613oej.23.1351800063124; Thu, 01 Nov 2012 13:01:03 -0700 (PDT)
Received: by 10.76.27.103 with HTTP; Thu, 1 Nov 2012 13:01:03 -0700 (PDT)
In-Reply-To: <CABrd9ST3=4b73jDZb=Cxq6L_+2z7ExCKcY-ywBiD5hW98uAWBw@mail.gmail.com>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <alpine.BSF.2.00.1211010935330.60568@hiroshima.bogus.com> <CAMm+LwjQiJ3aWpAYdy1hxtf09Sf=4g9AO=r-PihSPVkc8PMLkg@mail.gmail.com> <5092B8C4.3070607@cs.tcd.ie> <CABrd9SRKuo-VW6AHapz0NogKSGmcXXtRomTh1bvZudaB5q-GTQ@mail.gmail.com> <CAMm+LwhxLYhEJ213AmvTo6cCfPRq_0X1hxJx1vN13nfxkBWLiw@mail.gmail.com> <CABrd9ST3=4b73jDZb=Cxq6L_+2z7ExCKcY-ywBiD5hW98uAWBw@mail.gmail.com>
Date: Thu, 01 Nov 2012 16:01:03 -0400
Message-ID: <CAMm+Lwh3KeAXibf+vE9KW+JJ7XaUSDMkstcTp-LDwCQe7QX8Mg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary="14dae9c099b891e50304cd747a60"
Cc: Lucy Lynch <llynch@civil-tongue.net>, Paul Hoffman <paul.hoffman@vpnc.org>, "therightkey@ietf.org" <therightkey@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 20:01:04 -0000

OK so some examples do exist. But really what proportion of real world
compromises do not involve something bone headed like using a 512 bit key
for DKIM signatures?

What I am saying here is not 'don't do CT', I am saying that we have to
make the ease of administration a high priority in the design.


On Thu, Nov 1, 2012 at 3:52 PM, Ben Laurie <benl@google.com> wrote:

> On 1 November 2012 18:38, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> > Again, does it appear so subtle after it has been discovered?
>
> Well, I find I have to remind myself how it works. So ... yeah.
>
> Also, I assumed Bliechanbacher was the exponent 3 thing, which was
> also pretty subtle.
>
> >
> > Would the flaw have been discovered sooner if there was not so much dead
> > code?
>
> I don't think dead code had any influence on either of these.
>
> >
> >
> > On Thu, Nov 1, 2012 at 2:35 PM, Ben Laurie <benl@google.com> wrote:
> >>
> >> On 1 November 2012 18:00, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> >> wrote:
> >> >
> >> >
> >> > On 11/01/2012 05:22 PM, Phillip Hallam-Baker wrote:
> >> >> Having worked in Web security over 20 years now, I have still to see
> a
> >> >> case
> >> >> where a system was breached because of a really subtle design flaw.
> >> >
> >> > Bleichenbacher?
> >>
> >> TLS renegotiation?
> >>
> >> >
> >> > S.
> >> > _______________________________________________
> >> > therightkey mailing list
> >> > therightkey@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/therightkey
> >
> >
> >
> >
> > --
> > Website: http://hallambaker.com/
> >
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email