Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
Ralph Holz <holz@net.in.tum.de> Fri, 03 January 2014 17:12 UTC
Return-Path: <holz@net.in.tum.de>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B081ADFDC for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OL4-9NF5vMcG for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:12:31 -0800 (PST)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id B7D711ADFD4 for <therightkey@ietf.org>; Fri, 3 Jan 2014 09:12:31 -0800 (PST)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 1F81A80480; Fri, 3 Jan 2014 18:12:23 +0100 (CET)
Received: from [192.168.178.34] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 5B9BA80246; Fri, 3 Jan 2014 18:12:22 +0100 (CET)
Message-ID: <52C6EF76.4090106@net.in.tum.de>
Date: Fri, 03 Jan 2014 18:12:22 +0100
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Leif Johansson <leifj@mnt.se>, therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org> <52C6A819.4040509@mnt.se> <52C6B9F9.7010304@net.in.tum.de> <52C6C966.3090606@mnt.se>
In-Reply-To: <52C6C966.3090606@mnt.se>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.8 at ex6
X-Virus-Status: Clean
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 17:12:34 -0000
Hi, > Assumes you run an updated browser, right? I think the cert was blacklisted immediately after the publication/talk, that means at least 4 years ago. At least in IE, the auto-update may have helped. Not sure about the Fox. There really is nothing we can do for users that haven't updated since. Any 2nd Web site they may visit may exploit those old vehicles. > Blacklisting isn't part of the PKIX trust model, but a band-aid used to > fix the lack of deployed/able revocation. Tell me something new. ;-) Although in fact, the whole thing goes much deeper. A broken hash algorithm means root cert-like compromise as it means the capacity to imitate a correct signature by a root cert. There is no fix for this but blacklisting. Not in any model with TTPs, by the way. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
- [therightkey] DNSNMC deprecates Certificate Autho… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Ali-Reza Anghaie
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Lambert
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Santosh Chokhani
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Carl Wallace
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] algorithm blacklisting Jacob Appelbaum