[cryptography] another cert failure

Erwann Abalea eabalea at gmail.com
Sat Jan 5 16:48:11 EST 2013


2013/1/5 Ryan Hurst <ryan.hurst at globalsign.com>

> I've been unable to find a screenshot but this FAQ does suggest that there
> is an explicit action required to enable HTTPS inspection:
> https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65123
>
>
I don't see anything there telling an explicit action is necessary (in
addition to provide it with a CA certificate+key).
I also haven't found if the "HTTPS inspection" is compatible with a
stack/appliance/whatever you could put a server certificate on to act as an
SSL accelerator, server protection, or any other legitimate use.

As for what appropriate consequences are for TurkTrust; so far my position
> would be that TurkTrust appears to have acted responsibly once they became
> aware of the issue and it seems their action was not malicious or
> representative of a systematic failure.
>
> If these two things are true and heavy-handed punishment is levied
> it would send the message to other actors in this ecosystem that responding
> openly and responsibly would likely result in the same punishment.
>
> While it's natural to want to classify all events in the CA ecosystem the
> same and respond uniformly, it appears from the information that has been
> released that this is not a case of another DigiNotar.
>

This is a different situation. DigiNotar didn't act maliciously at first.
They made a lot of mistakes. And most importantly, they tried to hide it
and later deny it, and the punishment was appropriate.

If TurkTrust acted maliciously but reacts transparently, they also need to
be punished.

As such I would think It appropriate to consider this situation and it's
> facts separately.
>

Their cooperation needs to be well considered, of course. But the facts and
motivations also need to be considered, not really compared to DigiNotar
but compared to TrustWave and the Mozilla communications to CAs that
followed.

-- 
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/dac97b3b/attachment.html>


More information about the cryptography mailing list