[security] SL comprimise

John Bradley ve7jtb at ve7jtb.com
Wed Mar 30 21:33:48 UTC 2011 

Hi Eddy,

Good to hear from you.

My point is mostly that RP who are counting on TLS to provide a level of assurance that they are talking to a IdP need to perform CRL or OCSP checking.

Certificates without that should not be used by IdP.

There are browser issues no doubt.  I am mostly concerned that RP are trusting a security mechanism that they have not configured properly and may get an unpleasant surprise at some point.

RP libraries need to take this seriously.  

I have known the Comodo guys for a long time as well.  
I use your Start SSL service for a reason.  

However as you say if people don't manage the certificates in their root store they are more likely to see this sort of thing.

No CA is imune, sometimes customers shoot themselves in the foot,  generating week keys etc.

We have to be able to deal with revoked certificates or we should not be using TLS security for a key part of openID trust.

Regards
John B.
On 2011-03-30, at 4:46 PM, Eddy Nigg (StartCom Ltd.) wrote:

> 
> On 03/30/2011 09:59 PM, From John Bradley:
>> 
>> The problem is how do you not trust them without breaking significant parts of the internet.
>> 
>> They have us over a barrel.
> 
> Well, well....both of you know that this is a particular issue of a particular "Certification Authority" and that there are alternatives. And incidentally I happen to know both you ;-)
> 
> I assume that there will be actions by the most important browser vendors, I suggest to check your certificate stores and CA bundles at the servers and to rip those CAs you prefer not to trust.
> 
> 
> Regards 
>  
> Signer: 	Eddy Nigg, COO/CTO
>  	StartCom Ltd.
> XMPP: 	startcom at startcom.org
> Blog: 	Join the Revolution!
> Twitter: 	Follow Me
>  
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110330/dcdb0519/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110330/dcdb0519/attachment.p7s>

More information about the security mailing list