Re: [websec] Certificate Pinning via HSTS (.txt version)
SM <sm@resistor.net> Tue, 13 September 2011 23:06 UTC
Return-Path: <sm@resistor.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1268121F85AE for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 16:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.578
X-Spam-Level:
X-Spam-Status: No, score=-102.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z1INAn5WAh8w for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 16:06:32 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id B429921F855F for <websec@ietf.org>; Tue, 13 Sep 2011 16:06:22 -0700 (PDT)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) by mx.elandsys.com (8.14.4/8.14.5) with ESMTP id p8DN86kj019404; Tue, 13 Sep 2011 16:08:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1315955294; bh=50jtqM/hrzCPs+OqW0g5EZvRE/37I355czhnIT92Doo=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=mZSrTNJe+HNzud4U2wtlP4ONCWUXrgiRZA3W4TpIp/RB8JQWX7s/aCozsJVyL6+YL 0AKQQOrx4odRC4TAe8aTGfkbBRYY/EoXlf+TswCOKo6pt+3ASywOjvIY/jHZ1cHafJ q7VWENMREdcZ8cGyyj/CvJNs5V6dvO/s+RJ2Vis4=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1315955294; bh=50jtqM/hrzCPs+OqW0g5EZvRE/37I355czhnIT92Doo=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=lRsfnXLJncEtWMmaYgGe7vNeKGD74H55M+A4PzJ1H6SBGXaTU42pOejyG82RVHwhb tF22KRXIoL5pW8adIjw/TkVldSbQu65GUpSKfEhdAdCkQYmtcAUU7at73FjniPeQDE /Mdh9uVvbTkGyr7kFCNpd9mbsZpmr1NDRGJcwIAQ=
Message-Id: <6.2.5.6.2.20110913153237.0851f630@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 13 Sep 2011 16:06:53 -0700
To: Yoav Nir <ynir@checkpoint.com>
From: SM <sm@resistor.net>
In-Reply-To: <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 23:06:38 -0000
Hi Yoav, At 11:41 13-09-2011, Yoav Nir wrote: >Six months ago we would not have thought that Comodo or DigiNotar >were easy to hack. In the latter case, the customers of DigiNotar >were left out in the cold. Without "The DigiNotar partnership has laid down its security policy in action protocols and technical protocols. For safety reasons, these documents are not publicly available, which means that they are unavailable for inspection." "A regular audit is performed by an independent external auditor to assess Comodo's compliance with the AICPA/CICA WebTrust program for Certification Authorities." People get sloppy. Businesses get complacent. At the end of the day, it is a business decision. Regards, -sm
- Re: [websec] Certificate Pinning via HSTS (.txt v… =JeffH
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Peter Saint-Andre
- Re: [websec] Certificate Pinning via HSTS (.txt v… =JeffH
- Re: [websec] Certificate Pinning via HSTS (.txt v… Yoav Nir
- Re: [websec] Certificate Pinning via HSTS (.txt v… Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Gervase Markham
- Re: [websec] Certificate Pinning via HSTS (.txt v… Steingruebl, Andy
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS (.txt v… davidillsley
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS (.txt v… davidillsley
- Re: [websec] Certificate Pinning via HSTS (.txt v… SM
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Yoav Nir
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker