[cryptography] Symantec gets it wrong

Alfonso De Gregorio adg at crypto.lo.gy
Thu Sep 8 14:30:54 EDT 2011


Hi,

On Thu, Sep 8, 2011 at 6:20 PM, Andy Steingruebl <andy at steingruebl.com>wrote:

> On Thu, Sep 8, 2011 at 1:30 AM, Ralph Holz <holz at net.in.tum.de> wrote:
> > Hi,
> >
> > I (still) cannot believe how Symantec reacts to the DigiNotar breaches -
> > basically ignoring the known shortcomings:
> >
> >
> http://www.symantec.com/connect/blogs/why-your-certificate-authority-matters
>
> To be contrarian for a moment....
>
> In the "old days" ( a few months ago) the only really difference for a
> customer between most CAs was how widely their trust was distributed.
> What platforms (Windows, which mobile phones, etc).  Their customers
> didn't have to care about quality, and really didn't have to care
> about the CA going away, except if the CA went bankrupt or
> something...
>
> Today, maybe that has changed ever so slightly?  If a customer now
> fears that their/A CA will actually get de-listed from the popular
> platforms, thus causing them an outage, maybe customers start
> demanding CAs that are less likely to get de-listed? Maybe ones that
> can demonstrate better security controls, or somesuch?
>

I don't expect the average Joe to know which security controls are better
than others and, in turn, I don't expect him to tell an untrustworthy CA
from yet-another-CA anytime soon. Even if he could (w.r.t. security controls
for the verification of the claimed identity), the incentives are misaligned
as the consumers strive for cheaper certificates and issuers for higher
margins.

The possibility exists for the CA industry to try to self-regulate, issuing
security mandates to comply with -- which are not necessarily right, well
focused or inexpensive (a PCI DSS deja vu).

Solving the PKI failures we are experiencing requires a multi-dimensional
approach. Information asymmetries need to be reduced. At the same time, we
need to address the architectural issues; as noted by Peter: "Universal
implicit cross-certification makes the entire system as weak as the weakest
link".


> This isn't to say it justifies or supports the marketing campaign, but
> perhaps there is a real message hidden in there after all?
>
> - Andy


-- alfonso     blogs at http://Plaintext.crypto.lo.gy   tweets @secYOUre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110908/5ae3841d/attachment.html>


More information about the cryptography mailing list