Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Yoav Nir <ynir@checkpoint.com> Sun, 05 June 2011 06:54 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83FB321F8445; Sat, 4 Jun 2011 23:54:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZP4WUEOhMt6; Sat, 4 Jun 2011 23:54:02 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id EF51021F8444; Sat, 4 Jun 2011 23:54:01 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p556redl021536; Sun, 5 Jun 2011 09:53:41 +0300
X-CheckPoint: {4DEB347F-0-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 5 Jun 2011 09:53:40 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Sun, 5 Jun 2011 09:53:41 +0300
Thread-Topic: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
Thread-Index: AcwjTUzaSKIvgKIwQTaLFKFXCxvBOw==
Message-ID: <81856AC0-F6FB-4321-93FE-559D5C5E2743@checkpoint.com>
References: <E1QSKXu-0000S2-2s@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QSKXu-0000S2-2s@login01.fos.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>, "paul.hoffman@vpnc.org" <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jun 2011 06:54:03 -0000

On Jun 3, 2011, at 5:55 AM, Peter Gutmann wrote:

> Yoav Nir <ynir@checkpoint.com> writes:
> 
>> In late 2008, when some researchers got RapidSSL to sign a certificate
>> request that collided with their rogue sub-CA certificate, several things
>> came to light:
>> - They were a ridiculously small company, with the only full-time employee.
>> An accountant
> 
> I wasn't aware of this one, do you have any pointers to info on this?  I guess 
> a Webtrust audit doesn't check whether you have more than a single employee :-).
> 
> Peter.

I'm not sure where I've read it. Probably some blog entry about the incident. Not Bruce Schneier's because his entries are still online. 

Anyway, checking the data for now, Business Week has this:
http://investing.businessweek.com/research/stocks/private/people.asp?privcapId=20888814

It lists two "key executives", VP Marketing and VP Sales and no CEO/President. Click their links, and both have other jobs at Globalsign and other companies.

The key issue is the total lack of in-house expertise. Late in 2008, it wasn't RapidSSL that switched to MD5. Verisign did it for them:
http://www.thetechherald.com/article.php/200852/2708/VeriSign-replaces-RapidSSL-certificates