[cryptography] Symantec gets it wrong

Ian G iang at iang.org
Thu Sep 8 13:46:27 EDT 2011



> To be contrarian for a moment....
> 
> In the "old days" ( a few months ago) the only really difference for a
> customer between most CAs was how widely their trust was distributed.

As far as I can see, trust is still distributed equally and broadly.  That's the nature of the homogonising design, right?  It's too early to call a difference from the Chrome clawback (aka pinning).


> What platforms (Windows, which mobile phones, etc).

You're talking about their root certificate, not trust.

> Today, maybe that has changed ever so slightly?  If a customer now
> fears that their/A CA will actually get de-listed from the popular
> platforms, thus causing them an outage, maybe customers start
> demanding CAs that are less likely to get de-listed? Maybe ones that
> can demonstrate better security controls, or somesuch?

I'd be more worried about the somesuch. The fact that CAs are issuing certificates without due cause & contract is far more important than they stop issuing.  One causes a momentary outage (which happens every year or two anyway) ...

The other can cause MITMs ! Ask google!

And, there ain't a damn thing the subscriber or its CA can do.


> This isn't to say it justifies or supports the marketing campaign, but
> perhaps there is a real message hidden in there after all?

:) yeah but the marketing people at semantic are addicted to their own kool-aid. Any marketing done now would be a mistake. Not enuf time for the full lessons to be learnt, dust still settling.  E.g. OCSP. Black or white?

Iang


More information about the cryptography mailing list