[cryptography] another cert failure

Ryan Hurst ryan.hurst at globalsign.com
Sat Jan 5 15:59:45 EST 2013


I've been unable to find a screenshot but this FAQ does suggest that there is an explicit action required to enable HTTPS inspection: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65123

As for what appropriate consequences are for TurkTrust; so far my position would be that TurkTrust appears to have acted responsibly once they became aware of the issue and it seems their action was not malicious or representative of a systematic failure.

If these two things are true and heavy-handed punishment is levied it would send the message to other actors in this ecosystem that responding openly and responsibly would likely result in the same punishment.

While it's natural to want to classify all events in the CA ecosystem the same and respond uniformly, it appears from the information that has been released that this is not a case of another DigiNotar.

As such I would think It appropriate to consider this situation and it's facts separately.

Ryan Hurst

Sent from my phone, please forgive the brevity.

On Jan 5, 2013, at 12:44 PM, Jeffrey Walton <noloader at gmail.com> wrote:

> On Sat, Jan 5, 2013 at 3:26 PM, Ryan Hurst <ryan.hurst at globalsign.com> wrote:
>> Ian, I do agree with you that the dynamic configurations of them firewall is the most suspect part of the story.
>> 
>> I'm inclined to give them the benefit of the doubt based on my experience managing some UI related efforts inside of Windows -- aka today modern software makes an effort to intuit user intent based off of action.
> I think we need a screen shot of the UI in question. I have not
> managed a Checkpoint firewall in years, but I have my suspicions. That
> might offer something fairly conclusive about the willfulness of the
> end customer.
> 
> TurkTrust likely sold the certificates in pursuit of profits. I don't
> think there's any doubt about that. Are they not responsible for their
> actions (even if it was a mistake in hindsight)?
> 
> OT: what are folks going to do when a data breach occurs in someone
> else's cloud provider and your PII/SSN goes flying out the window.
> Worse, bury it in layers of corporate indirection so its nearly
> impossible to be made whole. Are folks going to give those negligent
> the benefit of the doubt and say its OK?
> 
> Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/c36fd12d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2098 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/c36fd12d/attachment.p7s>


More information about the cryptography mailing list