[Cryptography] Dells are shipping with a rogue root level CA cert
ianG
iang at iang.org
Thu Nov 26 11:34:50 EST 2015
On 24/11/2015 02:14 am, Tom Mitchell wrote:
> On Mon, Nov 23, 2015 at 12:57 PM, Perry E. Metzger <perry at piermont.com
> <mailto:perry at piermont.com>> wrote:
>
> It seems that, not having learned from Lenovo's experience, Dell has
> started shipping laptops with a Dell provided CA cert pre-installed.
>
> http://www.techworm.net/2015/11/dell-pcs-laptops-ship-with-edellroot.html
>
> It is unclear what the CA is for, but there's a good possibility it
> isn't good...
>
>
> How easy/hard is it to audit CAs?
Assuming this is a serious question - very hard. The key to the question
here would be "what question do you want answered by the audit?"
In practice, the question that *is* answered in typical CA audits is:
"is the CA compliant with a big long list of things
that CAs have agreed are important?"
What should be asked is
"how does this serve (secure) the user?"
But for various historical and structural-institutional reasons, that
will never be asked in a formal audit process. It was however
half-asked in an audit process known as DRC, so we can say that it isn't
an unaskable, at least.
(much much) more here:
http://iang.org/papers/open_audit_lisa.html
Much more than you wanted to know ;)
> I have looked at mine and it is a gaggle of cats to rangle.
Now, the question you might ask is ... why ?
iang
More information about the cryptography
mailing list