lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42136B3B.8050603@sdf.lonestar.org>
Date: Wed, 16 Feb 2005 10:48:11 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: Gwendolynn ferch Elydyr <gwen@...tiles.org>
Cc: Scott Gifford <sgifford@...pectclass.com>,
	Neil W Rickert <rickert+bt@...niu.edu>, bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


Gwendolynn ferch Elydyr wrote:

>> Well, I meant more accountable than CAs are.  I still think that that 
>> statement is accurate if you take my meaning.
>
>
> Actually I don't take your meaning.  I'd appreciate it if you could
> spell out why you think that one organization paid to provide trust is 
> different from another organization paid to provide trust.
>

Simple:  relative physical location.

The local BBB is accountable to local laws.  CAs are spread throughout 
the world and are global in nature.  As a member of a local community, I 
can choose to familiarize myself with those regulations, understand 
them, and use them against the BBB if they violate their trust.  I can 
also choose to go on a crusade against the local BBB.

Listen, I'm sure that you have a bone to pick with the BBB and I have no 
quarrel with that.  My point isn't that the BBB is a reputable, great 
organization (I don't really believe that it is).  My point is that the 
CAs aren't trustworthy in that way and are even less trustworthy in my 
view than the BBB.

I think that deep down we're agreeing on the point that they're 
inherently untrustworthy.  My point in saying "if you take my meaning" 
was to hi-light that rather than focus on this relatively minor 
nitpicking of point.  I'm not the first one in this thread to bring up 
the BBB.  So take your point up with the person who did bring it up, please.

         -Barry






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ