A Few Thoughts on Cryptographic Engineering

Discussion in 'privacy technology' started by Hungry Man, Feb 28, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  2. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    While I agree the PKI system as it stands now needs an overhaul, I do believe you will not see any real reform until you start hitting them where it hurts (their cash flow). 97% of their revenue is generated from governments and corporations globally. Most of which are happy with their services. Not to mention the transitive trust relationships with most root CA’s allows them a lot of freedom to do what they did in this case.

    I do like the proposal of an “audit list” though I am not sure how effective it would be, open source concepts are great for development, though do not offer much on security and trust. In my opinion it may take some litigation and strong arming such as what happened with diginotar to really keep those CA companies honest.
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    I find it pretty peculiar that Microsoft, Apple and Google all have kept their mouth shut regarding the TrustWave drama, especially compared to the discussion at Firefox bug tracker. link
    A CA that wasn't hacked like Diginotar but actually sold a 'MITM website xyz' method to a company, jeez;

    '...Additionally, when the system would accept an outbound SSL connection from within the customer network, and negotiate the session with the server outside the customers network, the private key for the resulting re-signed SSL certificate (that is presented to the internal network) would be generated in the HSM and only live for the duration of the SSL request. No party had access to the re-signed SSL certificate private keys at any time, nor could they gain access to them. This is what prevented the customer from being able to perform ad hoc issuance of certificate for any domain and use them outside of this hardware and infrastructure.' link

    After Trustwave having broken trust, I have a hard time actually trusting all this.
    But it seems Trustwave ought to be hailed, lauded and praised for coming clean, reading several blog comments here and there...:rolleyes:
    Apparantly when CAs become real big, they become like large banks. Too big to fail, whatever their wrongdoings.
    And we'll be stuck with this close-to-zero-accountability vomit-model for some time.

    Models like Perspectives and Convergence might be the future but having used Perspectives for a while, I don't think it's ready for prime time yet; low uptime of their notary servers lead to frequent error messages, too much for my taste at least, time to look at Convergence again.
     
Loading...
Thread Status:
Not open for further replies.