On Thu, Mar 24, 2011 at 2:39 PM, Franck Martin <franck@genius.com> wrote:
----- Original Message -----
From: "Roland Dobbins" <rdobbins@arbor.net> To: "nanog group" <nanog@nanog.org> Sent: Friday, 25 March, 2011 9:33:27 AM Subject: Re: The state-level attack on the SSL CA security model On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing' to be bartered.
Isn't there any law that obliges company to disclose security breaches that involve consumer data?
I don't think SSL certs are consumer data, per se. Back on original point - if the *actual effective* model of browser security is browsers with an internal revoked cert list - then there's a case to be made that a pre-announcement in private to the browser vendors, enough time for them to spin patches, and then widespread public discussion is the most responsible model approach. The public knowing before their browser knows how to handle the bad cert isn't helpful, unless you can effectively tell people how to get their browser to actually go verify every cert. -- -george william herbert george.herbert@gmail.com