[conspire] (forw) Re: Fortune: bad juju

Rick Moen rick at linuxmafia.com
Tue Aug 30 11:40:31 PDT 2011


By coincidence, Karsten had written to me asking if I were aware of the
DigiNotar meltdown, so I lobbed him a copy of yesterday's thread from
here.  Anyway, I figure my comments about CertWatch might be of
interest.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 30 Aug 2011 11:37:52 -0700
From: Rick Moen <rick at linuxmafia.com>
To: "Karsten M. Self" <karsten at linuxmafia.com>
Subject: Re: Fortune: bad juju
Organization: If you lived here, you'd be $HOME already.

Quoting Karsten M. Self (karsten at linuxmafia.com):

> CA management really needs help. The browser vendors and distros are
> updating their CA lists, but I'm thinking of the enterprise case
> (fortunately IT isn't  my rubric, but I think it's a good idea to worry
> about these things) and how you'd manage CA trust/distrust across
> numerous clients on an enterprise basis.

By the way, I'm a bit stumped as to how to assess the prospects for
usefulness of the following without intensive study and usability
testing:

Convergence, http://convergence.io/
Monkeysphere, http://web.monkeysphere.info/

There's been a history of theoretically clever crypto regimes that went
nowhere for a large variety of reasons.  For lack of ability / time /
energy to assess the above, I've lately just gone with:

CertWatch, http://certwatch.simos.info/

CertWatch is less ambitious but has a model that's very easy to
understand and trust, and is immediately useful.  It simply lets you
know every time you're using a new/changed SSL cert or CA root cert or
intermediate cert for the first time.  So, if suddenly my online banking
login for US Bank has an unexpected new cert, and especially if the new
cert is from a different certificate authority that doesn't look
familiar, I have the opportunity and option to be doubtful about site
authenticity.

> Oh, and my phone.  Need to note that the damned thing's invalid there.

Sorry, can't help your 'phone.  ;->


----- End forwarded message -----




More information about the conspire mailing list