Re: [9fans] Host security using TPMs

Sat, 29 Mar 2025 08:49:02 -0700 



On 3/28/25 18:04, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:

Aleksandar Kuktin writes:


 ...the "trust"
chain originates with the manufacturer, or more accurately with
whomever controls the manufacturer, you'll never be in complete control

of the device. 

--

This such an important and overlooked point.


We partnered with, and invested in, StartCom, a certification authority 
that helped us build our Osmio CA. We chose them because of their 
reputation for integrity: they actually checked out the claims of domain 
owners before signing an x.509 SSL certificate (unlike many others.)



We were minority shareholders, so when the CEO decided to put the 
company up for sale we had no choice but to consent to selling this 
business with a noteworthy integrity asset.



So when a company with a noteworthy asset puts itself up for sale, of 
course it attracts buyers who lack that asset - right? So a Chinese 
company bought StartCom in order to issue fraudulent x.509 certificates.



Fortunately they were quickly caught by members of the CA Forum. All the 
browser makers quickly deleted the StartCom root from their browsers, 
and all of a sudden the users of sites backed by StartCom SSL 
certificates got the ugly go-away-do-not-trust-this-site message.



Certification authorities should be like the vital records departments 
of city hall. You may be able to buy the mayor, but everyone in the 
vital records department knows that their only asset is their integrity. 
You can't buy the vital records department.


The notion of a commercial certification "authority" is pure folly.


And attributing enduring significance to a company's privacy practices 
(hello Apple) is also folly. A big hedge fund or PE might decide there's 
money to be made by buying a controlling interest in Apple and getting 
it to act like the rest of Silibandia, stealing and selling personal 
information for a big boost in earnings and share value.



A company is not a person. Unlike a person's character, which is usually 
enduring, a company's character is created at the whim of its 
controlling shareholder.




*Wes Kussmaul*

*Reliable Identities, Inc.*
an Authenticity Enterprise

------------------------------------------
9fans: 9fans
Permalink: 
https://9fans.topicbox.com/groups/9fans/T4aedea377a3d63c1-Md91c073022804b38253c4251
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription






















					Reply via email to