lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Feb 2005 01:21:22 -0600 (CST)
From: Ron DuFresne <dufresne@...ternet.com>
To: Gwendolynn ferch Elydyr <gwen@...tiles.org>
Cc: bkfsec <bkfsec@....lonestar.org>,
	Scott Gifford <sgifford@...pectclass.com>,
	Neil W Rickert <rickert+bt@...niu.edu>, <bugtraq@...urityfocus.com>
Subject: Re: International Domain Name [IDN] support in modern browsers allows
 attackers to spoof domain name URLs + SSL certs.


On Wed, 16 Feb 2005, Gwendolynn ferch Elydyr wrote:

> On Wed, 16 Feb 2005, bkfsec wrote:
> > The local BBB is accountable to local laws.  CAs are spread throughout the
> > world and are global in nature.  As a member of a local community, I can
> > choose to familiarize myself with those regulations, understand them, and use
> > them against the BBB if they violate their trust.  I can also choose to go on
> > a crusade against the local BBB.
> >
> > I think that deep down we're agreeing on the point that they're inherently
> > untrustworthy.  My point in saying "if you take my meaning" was to hi-light
> > that rather than focus on this relatively minor nitpicking of point.  I'm not
> > the first one in this thread to bring up the BBB.  So take your point up with
> > the person who did bring it up, please.
>
> Actually I'm just trying to be explicitly clear about the path that
> you're using for trust.  The BBB just happens to be the example that
> you'd used as an organization that you'd trust more than your average CA.
>
> As I'm reading you, you're saying that you:
>
>  	(1) trust establishments that you can see and touch more
>  		than you trust establishments that you can't see or touch.
>
>  	(2) trust establishments that are bound by a legal system that
>  		you're familiar with more than establishments that are bound
>  		by a legal system that you aren't familiar with.
>
> IMHO the question is more about what your particular grounds for trust
> happen to be than whether CAs are all/partially/not trustworthy - or
> if the BBB in your area happens to be trustworthy.
>
> Personally I'd really debate the concept that physical proximity is
> in any respect grounds for trust - and that familiarity implies the same.
>
> I'd be far more inclined to suggest using consistent long term behaviour
> as a predictor - and implementing a system where significant incentives
> towards desired behaviour exist.
>

But do not "physical proximity" and "familiarity" not also imply that a
lengthy relationship is probable which would enable behavioural
observations of said length to determine it's consistency?  Somewhat like
the concept that a person gets better service from a smaller mom&pop shop
then they do in a superstore?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.




Powered by blists - more mailing lists