On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less.
An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation. Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde