[cryptography] this house believes that user's control over the root list is a placebo

Arshad Noor arshad.noor at strongauth.com
Mon Jun 27 20:59:36 EDT 2011


On 06/26/2011 02:50 AM, Ralph Holz wrote:
>
> Which brings us to the next point: how do we measure improvement? What
> we would need - and don't have, and likely won't have for another long
> while - are numbers that are statistically meaningful.
>
> On moz.dev.sec.policy, the proposal is out that CAs need to publicly
> disclose security incidents and breaches. This could actually be a good
> step forward.

I agree - except that is should apply to more than just CAs.

In 2008, I sent the following e-mail to my representatives and both
Presidential candidates:

http://seclists.org/dataloss/2008/q3/133

Its intent was to initiate a change in policy wrt breach disclosures.
There was not even the courtesy of a form-response from most of them,
so its not surprising that we continue to fly blind in 2011.

Arshad Noor
StrongAuth, Inc.



More information about the cryptography mailing list