[cryptography] Symantec gets it wrong
iang at iang.org
Thu Sep 8 13:46:27 EDT 2011
> To be contrarian for a moment....
> In the "old days" ( a few months ago) the only really difference for a
> customer between most CAs was how widely their trust was distributed.
As far as I can see, trust is still distributed equally and broadly. That's the nature of the homogonising design, right? It's too early to call a difference from the Chrome clawback (aka pinning).
> What platforms (Windows, which mobile phones, etc).
You're talking about their root certificate, not trust.
> Today, maybe that has changed ever so slightly? If a customer now
> fears that their/A CA will actually get de-listed from the popular
> platforms, thus causing them an outage, maybe customers start
> demanding CAs that are less likely to get de-listed? Maybe ones that
> can demonstrate better security controls, or somesuch?
I'd be more worried about the somesuch. The fact that CAs are issuing certificates without due cause & contract is far more important than they stop issuing. One causes a momentary outage (which happens every year or two anyway) ...
The other can cause MITMs ! Ask google!
And, there ain't a damn thing the subscriber or its CA can do.
> This isn't to say it justifies or supports the marketing campaign, but
> perhaps there is a real message hidden in there after all?
:) yeah but the marketing people at semantic are addicted to their own kool-aid. Any marketing done now would be a mistake. Not enuf time for the full lessons to be learnt, dust still settling. E.g. OCSP. Black or white?
More information about the cryptography