On 24/03/11 10:09 -0400, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.
This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
The point is that the 'short amount of time' should have been zero (from the time of the update of the CRL) which would have allowed an immediate announcement of the revocation to the public, with sufficient details for the public to make educated decisions about their internet usage. But because the CRL publication did not facilitate that, due to whatever deficiency there existed in the procotol or in browser implementations, announcement had to be delayed, providing a small group of attackers a larger window than necessary to compromise information. -- Dan White