[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20100802163637.A9F6C28049@smtp.hushmail.com>
Date: Mon, 02 Aug 2010 12:36:37 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: full-disclosure@...ts.grok.org.uk, peak@...o.troja.mff.cuni.cz
Subject: Re: Expired certificate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
<snip>
Can't you? The world is full of unpatched systems. You can even find
systems where patches are not installed because it is running a
piece of
mission critical software and they would lose support if they
installed
any patches (I am not making this up).
</snip>
Spot on. I know of one large accounting/ERP system(which shall
remain nameless, though I am sure there are those out there who
have come across it) that checked the SQL version, including the
revision number at runtime, which made patching SQL impossible.
On Sun, 01 Aug 2010 15:38:46 -0400 Pavel Kankovsky
<peak@...o.troja.mff.cuni.cz> wrote:
>On Sun, 25 Jul 2010, Dan Kaminsky wrote:
>
>> > So... no one is doing revocation checking and expiration is
>evil.
>> > How are we supposed to get rid of invalid certificates?
>>
>> Ask me that in a few days ;)
>
>Has one week been enough for you? :)
>
>> So nobody will sell you a name constrained certificate. It's
>almost
>> like there are serious implementation issues with the extension
>in the
>> field.
>
>Obviously not serious enough to prevent their use by US Federal
>Bridge CA.
>See
><http://www.idmanagement.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf>
>
>> Absolutely correct. Whatever world X.509 is great for, it sure
>ain't
>> this one.
>
>Governments and big companies *are* hierarchical and bureacratic
>and X.509
>was developed for them.
>
>> Patch management involves the same thing being put on different
>hosts,
>> and there's really no choice -- you can't run an infrastructure
>without
>> maintaining it, on some timescale anyway.
>
>Can't you? The world is full of unpatched systems. You can even
>find
>systems where patches are not installed because it is running a
>piece of
>mission critical software and they would lose support if they
>installed
>any patches (I am not making this up).
>
>> Certificate management involves different things being put on
>different
>> hosts, [...]
>
>This is a red herring. When you have got a bag of certificates, it
>is
>trivial to pick the right certificate for every host and check it
>automatically both before and after deployment. And everything
>else but
>the bits (place where the cert is installed, services that need to
>be
>restarted etc.) can stay identical.
>
>> [...] and there's totally a choice -- you can simply not have a
>> certificate at all.
>
>Yes. And you can teach your users to check all server public keys
>manually. You can also make a choice to send everything in
>cleartext and
>set all passwords to "123456" because it will make your life much
>easier.
>
>> To paraphrase another quote, "X.509 never fails, only X.509
>deployers."
>
>I do not say X.509 never fails, I question
>
>> You know, it's strange. I never hear stories about networks
>being taken
>> down for nonpayment of electric bills, but we have straight up
>UI
>> support for certificate errors. Why do you think that is?
>
>There are various cases of epic fails related to electric bills
>but I
>admit I have not found a clear example affecting IT infrastructure
>
>directly.
>
>Replace interrupted power supply with expired domain registration
>and
>you'll be able to find dozens of incidents, all of them affecting
>IT for
>obvious reasons--and some of them involving big names like
>Microsoft and
>Google.
>
>--
>Pavel Kankovsky aka Peak / Jeremiah 9:21
> \
>"For death is come up into our MS Windows(tm)..." \ 21st century
>edition /
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkxW9BUACgkQi04xwClgpZiFcAP+OdK2LXgk4IWqZYOMSBRGnMw7yM8N
j70MmuihfrvK6q2wyhPtizhnldqX3sWCKhhyHgZbkEUhEtiiOkycKf4x42CO/+dqxzAU
xufzLA6paJrf4ugyCPd7xZteEpgKmSFOQVtt8IZV3ttdEbQ4kRpVmdpa5dtWRRBq0b9q
DeB2GwI=
=5IDt
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists