Re: [TLS] Proposing CAA as PKIX Working Group Item

Geoffrey Keating <geoffk@geoffk.org> Sun, 05 June 2011 08:45 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E4E021F8491; Sun, 5 Jun 2011 01:45:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acJVPe3Mjbum; Sun, 5 Jun 2011 01:45:00 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id D47D121F8490; Sun, 5 Jun 2011 01:45:00 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id C0CB333D18D; Sun, 5 Jun 2011 08:44:58 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Yoav Nir <ynir@checkpoint.com>
References: <E1QSKXu-0000S2-2s@login01.fos.auckland.ac.nz> <81856AC0-F6FB-4321-93FE-559D5C5E2743@checkpoint.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 05 Jun 2011 01:44:58 -0700
In-Reply-To: <81856AC0-F6FB-4321-93FE-559D5C5E2743@checkpoint.com>
Message-ID: <m28vtgfz05.fsf@localhost.localdomain>
Lines: 24
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jun 2011 08:45:01 -0000

Yoav Nir <ynir@checkpoint.com> writes:

> Yoav Nir <ynir@checkpoint.com> writes:
> 
>> In late 2008, when some researchers got RapidSSL to sign a certificate
>> request that collided with their rogue sub-CA certificate, several things
>> came to light:
>> - They were a ridiculously small company, with the only full-time employee.
>> An accountant
...
> I'm not sure where I've read it. Probably some blog entry about the incident. Not Bruce Schneier's because his entries are still online. 
> 
> Anyway, checking the data for now, Business Week has this:
> http://investing.businessweek.com/research/stocks/private/people.asp?privcapId=20888814
> 
> It lists two "key executives", VP Marketing and VP Sales and no CEO/President. Click their links, and both have other jobs at Globalsign and other companies.
> 
> The key issue is the total lack of in-house expertise. Late in 2008, it wasn't RapidSSL that switched to MD5. Verisign did it for them:
> http://www.thetechherald.com/article.php/200852/2708/VeriSign-replaces-RapidSSL-certificates

RapidSSL is owned by GeoTrust which at the time was owned by VeriSign
(thus the press release), and now by Symantec.  It wouldn't surprise
me if RapidSSL itself has no employees at all.  I don't think Business
Week's data is reliable in this case.