lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: yossarian at planet.nl (yossarian)
Subject: PGP vs. certificate from Verisign

Jason wrote:
> They do exist and have... http://crl.verisign.com/

Well, apparently this is a CRL list. Good. Then some question remains -
would this server handle a few 100.000 concurrent requests getting a 666k or
118k file? Could this be a CDP for use of MS certs, or should they have
built it themselves? The certs included where Verisign's, the cert did not
include a CDP - don't think it was MS's responsibility.

Other minor question: why does the RPA shout: YOU ARE SOLELY RESPONSIBLE FOR
DECIDING WHETHER OR NOT TO RELY ON THE INFORMATION IN A CERTIFICATE.?
(item3). The RPA also states that if my browser decides to check a CRL: As a
Relying Party, (I will be) obligated to:

     (i) independently assess the appropriateness of the use of a
Certificate for any given purpose and determine that the Certificate will,
in fact, be used for an appropriate purpose;

     (ii) utilize the appropriate software and/or hardware to perform
digital signature verification or other cryptographic operations you wish to
perform, as a condition of relying on a Certificate in connection with each
such operation. Such operations include identifying a Certificate Chain and
verifying the digital signatures on all Certificates in the Certificate
Chain. You agree that you will not rely on a Certificate unless these
verification procedures are successful;

     (iii) check the status of a Certificate on which you wish to rely, as
well as all the Certificates in its Certificate Chain. If any of the
Certificates in the Certificate Chain have been revoked, you agree that that
you will not rely on the end-user Subscriber Certificate or other revoked
Certificate in the Certificate Chain; and

     (iv) rely on the Certificate, if all of the checks described in the
previous paragraphs are successful, provided that reliance upon the
Certificate is reasonable under the circumstances and in light of Section 3
of this Agreement. If the circumstances indicate a need for additional
assurances, it is your responsibility to obtain such assurances for such
reliance to be deemed reasonable.

Well? How does one do that?

And then this:

You agree to release, indemnify, defend and hold harmless VeriSign and any
non-VeriSign CAs or RAs, and any of their respective contractors, agents,
employees, officers, directors, shareholders, affiliates and assigns from
all liabilities, claims, damages, costs and expenses, including reasonable
attorney's fees and expenses, of third parties relating to or arising out of
(i) your failure to perform the obligations of a Relying Party, (ii) your
reliance on a Certificate that is not reasonable under the circumstances, or
(iii) your failure to check the status of a Certificate to determine if the
Certificate is expired or revoked. When VeriSign is threatened with suit or
sued by a third party, VeriSign may seek written assurances from you
concerning your promise to indemnify VeriSign, your failure to provide those
assurances may be considered by VeriSign to be a material breach of this
Agreement. VeriSign shall have the right to participate in any defense by
you of a third-party claim related to your use of any VeriSign services,
with counsel of our choice at your own expense. You shall have sole
responsibility to defend VeriSign against any claim, but you must receive
VeriSign's prior written consent regarding any related settlement. The terms
of this Section 11 will survive any termination or cancellation of this
Agreement.

> you have to read the CPS, know the liabilities, and then accept them IMHO.

As you can see, i have done this. Now I know the liabilities and my
duties.... I do not accept them.

To Kurt:
Maybe there is no real new disclosure in this, but should full disclosure
necessarily be new? We can't all know everything, and there are all too many
people wanting to learn here - the original question that started the
discussion was quite off topic so it had to evolve this way.


>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ