[nycbug-talk] CA Cert Meeting

G.Rosamond george
Mon Jul 5 23:59:21 EDT 2004 

pretty decent turnout. . .

there are a number of unresolved questions which should be quite clear 
to everyone at the meeting, and in particular those at the bar 
afterwards. . .

1.  three tenets of security are: authentication, non-repudiation, 
confidentiality. . .those need to be kept in mind with any 
security-related process or software.

2.  guaranteeing the validity of an assurer on an annual basis or so.

3.  guaranteeing the validity on a regular basis.

4.  integration with ms' ie is critical. . opera, mozilla, safari are 
probably a cakewalk compared to ie.

5.  legal issues with storage of certs. . .maintaining confidentiality.

6.  it may make sense to deal with stages. . .mail certs, then on to 
www server certs down the road.

there's more that was raised, but i think the major point is this.  . .

it needs to be approached as an open source project that deals with a 
set of confidential data. . .

the process and protocols involved have not been adequately elaborated 
or articulated. . .basic questions remain unanswered, many of which 
were raised last thursday at USENIX and again tonight.

that should be the focus now. . .not implementation, which should be 
postponed to a later date when the methods and protocols are set. . .

i think snort is vaguely a great model. . .considered a lightweight 
compared to most ids systems, but their software still is the 
trend-setter for the ids industry.

verisign, etc, doesn't take the big three of security (see point #1) 
seriously or does it have those considerations well thought out. . .we 
can have them well thought out and impressive and that can actually 
overhaul protocol in the field of ssl certs.

the example from usenix about social engineering your way to a dun and 
bradstreet number is valid, whether it's actually true or false.

we need to think out a way beyond the industry's current practices.  
no, it won't be adopted by citibank tomorrow, but certainly this 
implementation can change the level of general security, and possibly 
open itself up to the soho/small tech/high-security market. . ..

sorry if some of this makes no sense to those who haven't followed the 
debate. . .it would probably make more sense if you checked out 
cacert.org. . .

g

More information about the talk mailing list