RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Hank Nussbacher
At 13:00 11/09/2011 -0600, Keith Medcalf wrote: Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

2011-09-11 Thread Marcus Reid
On Sun, Sep 11, 2011 at 01:34:43PM -0500, Joe Greco wrote: > > > Because of that lost trust, any cross-signed cert would likely be revoked > > > by > > > the browsers. It would also make the browser vendors question whether the > > > signing CA is worthy of their trust. > > > > To pop up the sta

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread William Allen Simpson
On 9/11/11 11:28 PM, Christopher Morrow wrote: On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: Companies that wrap their services with generic domain names (paymybills.com and the like) have no one to blame but themselves when they are targeted by scammers and phishing schemes.

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Christopher Morrow
On Sun, Sep 11, 2011 at 11:06 PM, Hughes, Scott GRE-MG wrote: > Companies that wrap their services with generic domain names (paymybills.com > and the like) have no one to blame but themselves when they are targeted by > scammers and phishing schemes. Even EV certificates don't help when consume

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Hughes, Scott GRE-MG
On Sep 11, 2011, at 9:44 PM, "Christopher Morrow" wrote: > On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: >> On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow >> wrote: >> >>> what's the real benefit of an EV cert? (to the service owner, not the >>> CA, the CA benefit is pretty clearly

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Christopher Morrow
On Sun, Sep 11, 2011 at 10:23 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow > wrote: > >> what's the real benefit of an EV cert? (to the service owner, not the >> CA, the CA benefit is pretty clearly $$) > > The benefit is to the end user. > They see a green address

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Jimmy Hess
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow wrote: > what's the real benefit of an EV cert? (to the service owner, not the > CA, the CA benefit is pretty clearly $$) The benefit is to the end user. They see a green address bar with the company's name displayed. Yeah, company's name dis

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Christopher Morrow
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > EV certificates have a > different status and probably still need the CA model what's the real benefit of an EV cert? (to the service owner, not the CA, the CA benefit is pretty clearly $$) -chris (I've never seen the value in EV or even DV ce

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Christopher Morrow
On Sun, Sep 11, 2011 at 3:37 PM, wrote: > On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: >> The current system provides no more authentication or confidentiality >> than if everyone simply used self-signed certificates. > > Not strictly true.  The current system at least gives you "you hav

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Christopher Morrow
somewhat rhetorically... On Sun, Sep 11, 2011 at 2:30 AM, Damian Menscher wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the > signing CA is worthy of their trust. given a list of ca'

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Mark Andrews
In message <146102.1315769...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > (*) Has anybody actually enabled "only accept DNSSEC-signed A records" > on an end user system and left it enabled for more than a day before > giving up in disgust? ;) No. But I run with "reject anything

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Damian Menscher
On Sun, Sep 11, 2011 at 4:02 PM, Jimmy Hess wrote: > On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher > wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > Because of that lost trust, any cross-signed cert would likely be revoked > by > > the browsers. It would also make the brow

Re: Why are we still using the CA model? (Re: Microsoft deems all

2011-09-11 Thread Aaron C. de Bruyn
Neither at the moment--but it's close. -A On Sun, Sep 11, 2011 at 15:52, wrote: > On Sun, 11 Sep 2011 15:20:51 PDT, "Aaron C. de Bruyn" said: >> I'm pretty fond of the idea proposed by gpgAuth.One key to rule them >> all (and one password) combined with the client verifying the >> server.It's s

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Jimmy Hess
On Sun, Sep 11, 2011 at 1:30 AM, Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > Because of that lost trust, any cross-signed cert would likely be revoked by > the browsers.  It would also make the browser vendors question whether the I am not engaging in speculatio

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Valdis . Kletnieks
On Sun, 11 Sep 2011 15:20:51 PDT, "Aaron C. de Bruyn" said: > I'm pretty fond of the idea proposed by gpgAuth.One key to rule them > all (and one password) combined with the client verifying the > server.It's still in its infancy, but it works. Yes, but it needs to be something that either (a) Joe

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread James Harr
https://bugzilla.mozilla.org/show_bug.cgi?id=647959 --- SNIP --- This is a request to add the CA root certificate for Honest Achmed's Used Cars and Certificates. The requested information as per the CA information checklist is as follows: 1. Name Honest Achmed's Used Cars and Certificates 2. W

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Aaron C. de Bruyn
I'm pretty fond of the idea proposed by gpgAuth.One key to rule them all (and one password) combined with the client verifying the server.It's still in its infancy, but it works. -A (Full disclosure: I work with the creator of gpgAuth in our day jobs) On Sun, Sep 11, 2011 at 11:47, Richard Barnes

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Valdis . Kletnieks
On Sun, 11 Sep 2011 13:00:09 MDT, Keith Medcalf said: > The current system provides no more authentication or confidentiality > than if everyone simply used self-signed certificates. Not strictly true. The current system at least gives you "you have reached the hostname your browser tried to reac

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Valdis . Kletnieks
On Sun, 11 Sep 2011 10:19:39 PDT, Joel jaeggli said: > To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the pot

RE: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Keith Medcalf
Damian Menscher wrote on 2011-09-11: > Because of that lost trust, any cross-signed cert would likely be > revoked by the browsers. It would also make the browser vendors > question whether the signing CA is worthy of their trust. And therein is the root of the problem: Trustworthiness is asses

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Richard Barnes
There's an app^W^Wa Working Group for that. On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones wrote: > On 11 September 2011 16:55, Bjørn Mork wrote: >> You can rewrite that: Trust is the CA business.  Trust has a price.  If >> the CA is not trusted, the price increases

Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

2011-09-11 Thread Mike Jones
On 11 September 2011 16:55, Bjørn Mork wrote: > You can rewrite that: Trust is the CA business.  Trust has a price.  If > the CA is not trusted, the price increases. > > Yes, they may end up out of business because of that price jump, but you > should not neglect the fact that trust is for sale he

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread lgomes00
2011/9/11, Joel jaeggli : > On 9/10/11 23:30 , Damian Menscher wrote: >> On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: >> >>> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid >>> wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA deat

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

2011-09-11 Thread Joe Greco
> > Because of that lost trust, any cross-signed cert would likely be revoked by > > the browsers. It would also make the browser vendors question whether the > > signing CA is worthy of their trust. > > To pop up the stack a bit it's the fact that an organization willing to > behave in that fash

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread sthaug
> To pop up the stack a bit it's the fact that an organization willing to > behave in that fashion was in my list of CA certs in the first place. > Yes they're blackballed now, better late than never I suppose. What does > that say about the potential for other CAs to behave in such a fashion? I'd

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Joel jaeggli
On 9/10/11 23:30 , Damian Menscher wrote: > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > >> On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: >>> On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: >>> I like this response; instant CA death penalty seems to put the >>> incen

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Bjørn Mork
Cameron Byrne writes: > Yep. The CA business is one of trust. If the CA is not trusted, they are out > of business. You can rewrite that: Trust is the CA business. Trust has a price. If the CA is not trusted, the price increases. Yes, they may end up out of business because of that price jump

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Cameron Byrne
On Sep 10, 2011 11:38 PM, "Damian Menscher" wrote: > > On Fri, Sep 9, 2011 at 11:33 PM, Jimmy Hess wrote: > > > On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid wrote: > > > On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: > > > I like this response; instant CA death penalty seems to p

Re: NAT444 or ?

2011-09-11 Thread Cameron Byrne
On Sep 11, 2011 4:33 AM, "Dobbins, Roland" wrote: > > On Sep 11, 2011, at 4:02 PM, Leigh Porter wrote: > > > I'd agree that, usually, distributed is better but these are not distributed networks, there is a single point (or a few large single points) of contact. > > The point is that these aggrega

Re: NAT444 or ?

2011-09-11 Thread Dobbins, Roland
On Sep 11, 2011, at 4:02 PM, Leigh Porter wrote: > I'd agree that, usually, distributed is better but these are not distributed > networks, there is a single point (or a few large single points) of contact. The point is that these aggregations of state are quite vulnerable, and therefore they s

Re: Access and Session Control System?

2011-09-11 Thread Eugeniu Patrascu
If you also want to control where they go from the jump box, you might want to look at http://www.xceedium.com/en/index.php as they claim to add rules to what a remotely logged in user can do. Juniper SA is very nice and get's intuitive after you familiriaze yourself with it's workflow which is a

RE: NAT444 or ?

2011-09-11 Thread Leigh Porter
> -Original Message- > From: Cameron Byrne [mailto:cb.li...@gmail.com] > Ip mobility via gtp or mobile ip generally does not work when you nat > at the > 'edge'. If you don't want your ip address to change every time you > change > cell sites, the nat has to be centralized. > > Cb Inde

Re: Hurricane Katia

2011-09-11 Thread Ken Gilmour
Not so bad for UK but there is an extreme weather warning for the west of Ireland http://www.independent.ie/national-news/hurricane-alert-storm-winds-coming-as-katia-moves-in-2872652.html -- Sent from my Android tablet. Please excuse my brevity On Sep 11, 2011 2:53 AM, "Jay Mitchell" wrote: > Ju

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

2011-09-11 Thread Michael Painter
Damian Menscher wrote: The problem here wasn't just that DigiNotar was compromised, but that they didn't have an audit trail and attempted a coverup which resulted in real harm to users. It will be difficult to re-gain the trust they lost. Because of that lost trust, any cross-signed cert would