lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050216132112.V52923@skink.reptiles.org>
Date: Wed, 16 Feb 2005 13:49:54 -0500 (EST)
From: Gwendolynn ferch Elydyr <gwen@...tiles.org>
To: bkfsec <bkfsec@....lonestar.org>
Cc: Scott Gifford <sgifford@...pectclass.com>,
	Neil W Rickert <rickert+bt@...niu.edu>, bugtraq@...urityfocus.com
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


On Wed, 16 Feb 2005, bkfsec wrote:
> The local BBB is accountable to local laws.  CAs are spread throughout the 
> world and are global in nature.  As a member of a local community, I can 
> choose to familiarize myself with those regulations, understand them, and use 
> them against the BBB if they violate their trust.  I can also choose to go on 
> a crusade against the local BBB.
>
> I think that deep down we're agreeing on the point that they're inherently 
> untrustworthy.  My point in saying "if you take my meaning" was to hi-light 
> that rather than focus on this relatively minor nitpicking of point.  I'm not 
> the first one in this thread to bring up the BBB.  So take your point up with 
> the person who did bring it up, please.

Actually I'm just trying to be explicitly clear about the path that
you're using for trust.  The BBB just happens to be the example that
you'd used as an organization that you'd trust more than your average CA.

As I'm reading you, you're saying that you:

 	(1) trust establishments that you can see and touch more
 		than you trust establishments that you can't see or touch.

 	(2) trust establishments that are bound by a legal system that
 		you're familiar with more than establishments that are bound
 		by a legal system that you aren't familiar with.

IMHO the question is more about what your particular grounds for trust
happen to be than whether CAs are all/partially/not trustworthy - or
if the BBB in your area happens to be trustworthy.

Personally I'd really debate the concept that physical proximity is 
in any respect grounds for trust - and that familiarity implies the same.

I'd be far more inclined to suggest using consistent long term behaviour
as a predictor - and implementing a system where significant incentives 
towards desired behaviour exist.

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ