[cabfpub] Teleconference Agenda

Ben Laurie benl at google.com
Wed Nov 6 16:18:57 UTC 2013


On 6 November 2013 15:09, Erwann Abalea <erwann.abalea at keynectis.com> wrote:
> Le 06/11/2013 14:59, Håvard Molland a écrit :
>
> On 11/05/2013 10:16 PM, Ben Wilson wrote:
>
> Besides reviewing working group status, new web site, and draft bylaws,
> which I'll send out soon, what other hot topics should we add to Thursday's
> discussion?  Remember, it will be an hour earlier for most of you.
>
>
> I would like that we discuss that some CAs generate the site certificate's
> private key for their customers.  It is my opinion that this breaks the
> trust model and, especially in the light of recent events, I believe this is
> a bad practice.
>
>
> In the light of older published results (weak Debian keys, lack of entropy
> on some devices as explained in the "Mining your P's and Q's" and subsequent
> papers), it can also be seen as a good practice. We at Keynectis don't do
> that, but I can accept the positive arguments for such practices.

I'm curious: do any of these devices actually have certs issued by CAs?

>
>
> We could also discuss elliptic curves and recent worries that certain curve
> constants might have been manipulated:
> http://slashdot.org/submission/2947823/are-the-nist-standard-elliptic-curves-back-doored
>
>
> Please distinguish the Dual_EC_DRBG and NIST curves concerns. Dual_EC_DRBG
> has certainly been weakened, while there's still some doubts regarding NIST
> curves. Maybe it's time to allow for other curves, Brainpool ones come to
> mind (RFC5639).
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>



More information about the Public mailing list