IETF Logo Mail Archive

Re: [therightkey] Barely-capable CAs

Jon Callas <jon@callas.org> Sat, 03 November 2012 00:52 UTC

Return-Path: <jon@callas.org>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670C41F0C91 for <therightkey@ietfa.amsl.com>; Fri, 2 Nov 2012 17:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TePiVD851aNc for <therightkey@ietfa.amsl.com>; Fri, 2 Nov 2012 17:52:44 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id 449A61F0C5F for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:52:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 634F012AD309 for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Er8gKKWHa3E for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:52:41 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id E44C812AD2FE for <therightkey@ietf.org>; Fri, 2 Nov 2012 17:52:40 -0700 (PDT)
Received: from [10.0.23.14] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Fri, 02 Nov 2012 17:52:41 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Fri, 02 Nov 2012 17:52:41 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <5092B8C4.3070607@cs.tcd.ie>
Date: Fri, 02 Nov 2012 17:52:39 -0700
Message-Id: <B627CB9C-CDB2-436C-88AC-6E69219A2BA4@callas.org>
References: <7500672F-5BDE-4EBE-ABC3-1AFEF2972D95@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D3FBAE8@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CAOuvq22PMSq2sAmUBfJcWu6LhEdCA3jKteu38m4UuHbykp7xZw@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069D5FC685@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <6DD8CB4F-1233-403D-A27E-F3F80310390F@vpnc.org> <544B0DD62A64C1448B2DA253C0114146069D5FC79B@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <508A48C5.9070005@comodo.com> <544B0DD62A64C1448B2DA253C0114146069D76E5FC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9STHtw__Wm30Z5T27mx8PMb-mScCSa-EZVDdeQvy_Rru1Q@mail.gmail.com> <544B0DD62A64C1448B2DA253C0114146069F66F830@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <CABrd9SSJWm_8BY9uN4D6=LmogwkNeLMZtJaOX2MQU1QuCHJwyg@mail.gmail.com> <80A8F0DC-C894-4299-AEC7-12B84A803E84@vpnc.org> <CAMm+Lwh2Qhv8eHtmy=KisShdJiLYe=ziyfezQELqqfu8y9H5qg@mail.gmail.com> <alpine.BSF.2.00.1211010935330.60568@hiroshima.bogus.com> <CAMm+LwjQiJ3aWpAYdy1hxtf09Sf=4g9AO=r-PihSPVkc8PMLkg@mail.gmail.com> <5092B 8C4.3070607@cs.tcd.ie>
To: therightkey@ietf.org
X-Mailer: Apple Mail (2.1499)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [therightkey] Barely-capable CAs
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2012 00:52:44 -0000

On Nov 1, 2012, at 11:00 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> 
> 
> On 11/01/2012 05:22 PM, Phillip Hallam-Baker wrote:
>> Having worked in Web security over 20 years now, I have still to see a case
>> where a system was breached because of a really subtle design flaw. 
> 
> Bleichenbacher?

Maybe. By the time Bleichenbacher was actually an issue, a number of us had been screaming for years. I suppose you can say that it was really subtle because the people concerned about it weren't listened to. But that has its own ick factor, too. Everything that people don't believe is subtle. Is it subtle that you shouldn't be using 1024 bit RSA keys? 512?

	Jon

v2.23.0 | Report a Bug | By Email