Eddy Nigg wrote:
On 01/03/2009 05:38 AM, Eddy Nigg:
Before anybody else does, I prefer from posting it myself :-)
http://blog.phishme.com/2009/01/nobody-is-perfect/
http://schmoil.blogspot.com/2009/01/nobody-is-perfect.html
For the interested, StartCom is currently checking if I can release our
internal "critical event report" of this event to the public (there
might be some internal information which should not be disclosed).
The report is available from here: https://blog.startcom.org/?p=161
(I'm continuing going back through old threads, including reading the
messages in this one I hadn't previously read. My apologies for being
somewhat abbreviated in my comments, and for not responding to every
point raised; I thought it was more important that I get my thoughts out
there and close out these issues, rather than wait for time I won't have
to do longer posts.)
My overall comments:
1. I appreciate your being proactive in posting about the StartCom
problems that were discovered and getting them fixed in a timely manner.
I wish more CAs would be more forthcoming about things like this.
2. I understand that what happened in the case of StartCom was not
exactly the same as what happened in the case of Comodo/CertStar.
However it's part of web security basics to assume that whatever a
client sends to a server is untrusted and must be (re)verified on the
server side to forestall potential attacks (e.g., SQL injection, etc.)
So IMO you get points for prompt disclosure and fixes, but in the end
you messed up just like Comodo and CertStar did.
3. To paraphrase what Nelson (?) wrote, "bugs happen". I don't think the
PKI/CA system is so fragile that it necessarily comes tumbling down
whenever a CA or RA makes a mistake. (If it really is that fragile then
we have bigger problems than those we're discussing here.) From a policy
point of view I think our interest is having CAs acknowledge problems
and fix them in a timely manner, both in terms of revoking certs when
needed and also in terms of addressing any underlying root causes.
4. In line with the previous point, I am not planning to recommend
removal of StartCom's root over this incident, both because the issue
been addressed by StartCom and also because it appears to be an isolated
incident that does not indicate any larger problem of incompetence or
maliciousness.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
