[cryptography] another cert failure

Ryan Hurst ryan.hurst at globalsign.com
Sat Jan 5 16:57:46 EST 2013


The text in that FAQ refers to the administrator enabling HTTPS inspection, my assumption is that for there to be FAQ references it is 'obvious' in the UI that it can be enabled.

That said I don't disagree with most of what you said below.

Ryan Hurst

Sent from my phone, please forgive the brevity.

On Jan 5, 2013, at 1:48 PM, Erwann Abalea <eabalea at gmail.com> wrote:

> 2013/1/5 Ryan Hurst <ryan.hurst at globalsign.com>
>> I've been unable to find a screenshot but this FAQ does suggest that there is an explicit action required to enable HTTPS inspection: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65123
> I don't see anything there telling an explicit action is necessary (in addition to provide it with a CA certificate+key).
> I also haven't found if the "HTTPS inspection" is compatible with a stack/appliance/whatever you could put a server certificate on to act as an SSL accelerator, server protection, or any other legitimate use.
>> As for what appropriate consequences are for TurkTrust; so far my position would be that TurkTrust appears to have acted responsibly once they became aware of the issue and it seems their action was not malicious or representative of a systematic failure.
>> If these two things are true and heavy-handed punishment is levied it would send the message to other actors in this ecosystem that responding openly and responsibly would likely result in the same punishment.
>> While it's natural to want to classify all events in the CA ecosystem the same and respond uniformly, it appears from the information that has been released that this is not a case of another DigiNotar.
> This is a different situation. DigiNotar didn't act maliciously at first. They made a lot of mistakes. And most importantly, they tried to hide it and later deny it, and the punishment was appropriate.
> If TurkTrust acted maliciously but reacts transparently, they also need to be punished.
>> As such I would think It appropriate to consider this situation and it's facts separately.
> Their cooperation needs to be well considered, of course. But the facts and motivations also need to be considered, not really compared to DigiNotar but compared to TrustWave and the Mozilla communications to CAs that followed.
> -- 
> Erwann.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/786df8fd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2098 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/786df8fd/attachment.p7s>

More information about the cryptography mailing list