[cryptography] another cert failure
noloader at gmail.com
Mon Jan 7 06:15:32 EST 2013
Off list. I am so gad damn angry at myself for seeing this sooner. It
all makes sense now.
OT: Habe you read http://www.amazon.com/dp/1420059815? Perhaps you
contributed or technical edited?
Thanks again for your insight.
On Mon, Jan 7, 2013 at 3:15 AM, ianG <iang at iang.org> wrote:
> On 7/01/13 06:48 AM, Jeffrey Walton wrote:
>> On Sat, Jan 5, 2013 at 4:23 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>>> On Sat, Jan 5, 2013 at 3:59 PM, Ryan Hurst <ryan.hurst at globalsign.com>
>>> In the future, we won't need their honesty. Or the 'honesty' they want
>>> use to perceive.
>>> Did anyone really think a CA would risk a multimillion dollar business?
>> Did anything ever emerge about the pre-blog deal?
>> I suspect Mozilla/Trustwave transpired as follows:
>> (1) Trustwave issues certificate(s), violates agreements
>> (2) Trustwave realizes they are exposed to risk that could result in
>> reputational and financial loss
>> (3) Trustwave legal engages Mozilla
>> (4) A deal is brokered
>> (5) After the deal was executed, Trustwave blogged about the incident.
> LOL... Jeff, this is *exactly the logic* I used to use in the mozilla mail
> group when I pressed the hypothesis that Mozilla cannot revoke roots. It's
> so nice to find someone who understands basic business issues.
> Some good came out of those arguments. Mozilla got their revocation
> procedure in place, and documented! The vendors thought about it some, and
> when it happened, they didn't flounder, they were able to roll out their
> procedures. Also, the vendors finally realised their legal position and
> made some changes in BR to defend themselves. 18.2 if you are interested.
> As it is legal of course, they won't ever comment.
> But the basic problem remains - if the CA resists, vendors cannot revoke
> reliably. Basically, what we have here are really tough and damaging
> consequences for small, insignificant CAs that are far away ... but those
> won't work so well if the CA is closer, heavier, and got lawyers. It's a
> start ... but, do you see how every change seems to be pointing in one
> particular direction? John Case will see it ;-)
>> Everything Trustwave and Mozilla did [publicly] was likely a dog and
>> pony show to alter our perception of reality.
>> The outcome was already known and fixed. Otherwise, Trustwave lawyers
>> would never have agreed to the deal, and the blog never would have
>> Mozilla had to play dumb to ensure it did not suffer reputational
>> loss; or jeopardize their relationship with Google, which could have
>> resulted in significant financial loss.
> Yeah. Little known fact is that Mozilla maintains confidential discussions
> with the CAs. The "open group" is basically theater, it has been totally
> owned by the CAs for many years. Mozilla routinely reports no meetings,
> minutes, positions, representations, agreements, NDAs, etc. Open
> contributors have been punching blind in a roman circus since the end of the
> first policy, which is why the open policy group has not really achieved as
> much as the advertisement claims.
> This all came out (if my memory serves me correctly) from observing that
> Mozilla resisted changes to the sub-CA regime. Sounds apropos? Basically,
> we worked out that Mozilla had been receiving private and confidential
> briefings from CAs about why they didn't want changes to the sub-CA regime.
> Mozilla found itself in the position of arguing those positions without
> declaring those positions.
> When it comes to it, Mozilla are hoisted on their own petard. It was they
> who agreed to confidential discussions, and they who entered into the
> CABForum -- those nice guys that Jon refers to are nice guys *when you sign
> up for their club* and that's not a new trick.
> But have a look at how they abused mozilla's open policy group to rush
> through their confidentially-prepared standards for a faux public comments
> period. It's all in the archives, they brought in their supporters, they
> argued for no changes, they've worked on these documents sooooo long, 2
> years now, we can't go back now, why isn't a month long enough for comment,
> there's nothing to say, right?
> They may be nice guys, but they really sold Mozilla's reputation for their
> own benefit. It is going to take years for Mozilla to go open, if they were
> to so decide.
>> That also explains why the safety net failed.
> Yep. To add another "fact" to the mix -- PKI is not really a technical
> fight, which is why it is bemusing to technical communities.
> It is a legal fight. And the ones who know it are the larger CAs, vendors
> aren't the experts in this, although Microsoft is reputed to have had
> original expertise. So one thing you will find is that you can *sometimes*
> engage the players in technical conversation if you bring power to the
> table. But if you try a legal discussion, watch how fast everything ices
More information about the cryptography