[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Chris Palmer
snackypants at gmail.com
Wed Sep 7 10:00:06 PDT 2011
The corporate MITM case, whether you think it is ok or not, is easy to
accommodate and we don't have to do any more work to support it. Just
use GPOs to push out an organizational MITM CA; if necessary, modify
the traffic to take out things like HSTS, security updates, et c.
(While you're at it, use GPOs to cause browsers to enforce a whitelist
of sites...) The real problem for corporate MITM backers is coping
with the fact that DLP doesn't exist, MITM or no, but that's outside
the scope of this mailing list. :)
This mailing list is about the real internet, and finding solutions
for the real internet's problems. In fact, much of our problems stem
from the fact that we shoe-horned a solution built for non-global,
hierarchical organizations (X.509) into the real internet. So, we
won't be catering to non-global needs anymore since we hope to come up
with a real solution.
Why are we arguing about this? Everybody wins.
More information about the Observatory
mailing list