On 3/1/09 04:38, Eddy Nigg wrote:
Before anybody else does, I prefer from posting it myself :-)
http://blog.phishme.com/2009/01/nobody-is-perfect/
http://schmoil.blogspot.com/2009/01/nobody-is-perfect.html
For the interested, StartCom is currently checking if I can release our
internal "critical event report" of this event to the public (there
might be some internal information which should not be disclosed).
Leaving aside the details of this "disclosed exploit demo" ... and with
a nod to the benefit to the community of such a disclosure ... it is
useful to examine the MOTIVE for doing this.
What incentive exists for a CA in disclosing an apparent weakness?
* In the open source world, we would say, the code is there for us
to share and improve the code, and the weaknesses are, as a consequence
of the model, revealed. In the open source world, we grasp this nettle
and turn it into an advantage.
* But in the closed source world, other dynamics work. A seller of
proprietary product will suppress any report of weakness, as this will
cause the buying public to become suspicious, and buy some other
supplier's product.
We've seen both sides over the last 2-3 weeks.
So I guess there are two questions:
1. do we want to live in the world of open disclosure,
or the world of pretty facades?
2. if the former, how do we create the incentives
such that all prefer to disclose up front?
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
