Re: [therightkey] Barely-capable CAs
Phillip Hallam-Baker <hallam@gmail.com> Sat, 03 November 2012 02:10 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7DD21F0C9F for <therightkey@ietfa.amsl.com>; Fri, 2 Nov 2012 19:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.529
X-Spam-Level:
X-Spam-Status: No, score=-3.529 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1XHTcIB5CDqx for <therightkey@ietfa.amsl.com>; Fri, 2 Nov 2012 19:10:57 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id D13031F0C9C for <therightkey@ietf.org>; Fri, 2 Nov 2012 19:10:56 -0700 (PDT)
Received: by mail-oa0-f44.google.com with SMTP id n5so4517116oag.31 for <therightkey@ietf.org>; Fri, 02 Nov 2012 19:10:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vNgqmIQn7O7vWBta9DFhLHHDL71k2ds8s6d+ly4OzkM=; b=whCbmUCh+JqirQRQlKPfR3NyDj0qRBoFGdkqwfncx6oEd2AaLOH5WiVBH/Y18v0ipc xwnSNPlcqmjTe+Y2jdOAuc0nvyygy/II+APVt42CB4gJTx4eJcgk/mu1CGK0R0A8fvNR 92xu4S4W3rAZtSri0YOmYvSbjibOSDBqA7Z0ha2hQBA2U2KZI4GToJhuYAi+W2qKkWNz Ki1T0kHGO1oLD5aWhLfmcOqdcMmisNLYng50fHqJEJ0F5ycVtW9aUValS38qDy80zEMl Bpvoih3w2uvcSUtEMQ15XLhwZIJqb09E9+SXB/y++lsEWDIp47MmOLsKX1bwRJ0vvjF9 2nsw==
MIME-Version: 1.0
Received: by 10.182.95.205 with SMTP id dm13mr2948041obb.9.1351908656432; Fri, 02 Nov 2012 19:10:56 -0700 (PDT)
Received: by 10.76.27.103 with HTTP; Fri, 2 Nov 2012 19:10:56 -0700 (PDT)
In-Reply-To: <B627CB9C-CDB2-436C-88AC-6E69219A2BA4@callas.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <alpine.BSF.2.00.1211010935330.60568@hiroshima.bogus.com> <CAMm+LwjQiJ3aWpAYdy1hxtf09Sf=4g9AO=r-PihSPVkc8PMLkg@mail.gmail.com> <5092B8C4.3070607@cs.tcd.ie> <B627CB9C-CDB2-436C-88AC-6E69219A2BA4@callas.org>
Date: Fri, 02 Nov 2012 22:10:56 -0400
Message-ID: <CAMm+LwgRxgr2ZMa2W=hEvBZGkX9JCr-5BDRYbt_xh=QEbP3J=Q@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Jon Callas <jon@callas.org>
Content-Type: multipart/alternative; boundary="14dae93b63203c44a104cd8dc313"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2012 02:10:57 -0000
My original point was that adding additional complexity into the system is never simple. It is not just the small increment of complexity added that is the issue, it is how it interacts with all the existing increments of complexity. Network admin is very hard because the tools provided are total crap. It would be very easy for parts of the network to give feedback such as 'which port is hogging bandwidth by jabbering away in NETBIOS' but they don't. Net admins tend to be very suspicious of changes to configurations for good reason, they have been burned many times before by 'simple' changes. As for people warning about bugs... well yes, I told netscape about the flaw in their PRNG over a year before someone decompiled the code and 'discovered' it. Jeff Schiller and Alan Schiffman had both been on at me about the pitfalls of RNGs. Jeff because the Kerberos people got burned that way. What it comes down to in part is that some of us have a very different model of how to write code than the rest of you. Cross site scripting, SQL injection, buffer overruns, simply cannot occur in my coding world because I would never use a scripting language that way or SQL or have code without pervasive bound checking. The NSA avoids errors like Bleichenbacher in the same way. Perhaps we can learn from them. In the meantime, if we want to get past the net admins we have to give them a royal road and not lecture them. On Fri, Nov 2, 2012 at 8:52 PM, Jon Callas <jon@callas.org> wrote: > > On Nov 1, 2012, at 11:00 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > > > > > > > On 11/01/2012 05:22 PM, Phillip Hallam-Baker wrote: > >> Having worked in Web security over 20 years now, I have still to see a > case > >> where a system was breached because of a really subtle design flaw. > > > > Bleichenbacher? > > Maybe. By the time Bleichenbacher was actually an issue, a number of us > had been screaming for years. I suppose you can say that it was really > subtle because the people concerned about it weren't listened to. But that > has its own ick factor, too. Everything that people don't believe is > subtle. Is it subtle that you shouldn't be using 1024 bit RSA keys? 512? > > Jon > > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > -- Website: http://hallambaker.com/
- [therightkey] Certrans BoF planning Paul Hoffman
- [therightkey] Call for agenda items for certrans … Paul Hoffman
- Re: [therightkey] Call for agenda items for certr… Phillip Hallam-Baker
- Re: [therightkey] Call for agenda items for certr… Paul Hoffman
- Re: [therightkey] Call for agenda items for certr… Paul Hoffman
- Re: [therightkey] Call for agenda items for certr… Phillip Hallam-Baker
- [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Phillip Hallam-Baker
- Re: [therightkey] Impact on issue processes Rob Stradling
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Phillip Hallam-Baker
- Re: [therightkey] Impact on issue processes Erwann Abalea
- Re: [therightkey] Impact on issue processes Rick Andrews
- Re: [therightkey] Impact on issue processes Chris Palmer
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Phillip Hallam-Baker
- Re: [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Rob Stradling
- Re: [therightkey] Impact on issue processes Paul Hoffman
- Re: [therightkey] Impact on issue processes Rick Andrews
- [therightkey] Other solutions to the problem Paul Hoffman
- Re: [therightkey] Impact on issue processes Chris Palmer
- Re: [therightkey] Other solutions to the problem Rick Andrews
- Re: [therightkey] Other solutions to the problem Chris Palmer
- Re: [therightkey] Other solutions to the problem Yoav Nir
- Re: [therightkey] Other solutions to the problem Rob Stradling
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Impact on issue processes Ben Laurie
- Re: [therightkey] Call for agenda items for certr… Ben Laurie
- Re: [therightkey] Other solutions to the problem Rick Andrews
- Re: [therightkey] Other solutions to the problem Leif Johansson
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Other solutions to the problem Rick Andrews
- Re: [therightkey] Other solutions to the problem Stephen Farrell
- Re: [therightkey] Other solutions to the problem Ben Laurie
- Re: [therightkey] Other solutions to the problem Phillip Hallam-Baker
- Re: [therightkey] Other solutions to the problem Ben Laurie
- [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Lucy Lynch
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Rick Andrews
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Stephen Farrell
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Ben Laurie
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Nico Williams
- Re: [therightkey] Barely-capable CAs Ben Laurie
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Paul Hoffman
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Rob Stradling
- Re: [therightkey] Barely-capable CAs Martin Rex
- Re: [therightkey] Barely-capable CAs Jon Callas
- Re: [therightkey] Barely-capable CAs Jon Callas
- Re: [therightkey] Barely-capable CAs Phillip Hallam-Baker