[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-taxii] Items in scope vs out of scope
For an example where "special" certs might lead to a barrier to entry, US-CERT's CISCP program insists on using FedBridge certificates at the moment. I know both ourselves and another large financial services firm have had trouble obtaining this type of certificate due to general confusion from our internal approval processes and even with external CAs who can't scale requests for certificates that require additional verification. This is not to say that we'd necessarily have the same trouble with extended validation certificates -- but we're certainly making it harder for the average bear to use SSL if we prefer or require them. Thanks, Alex -----Original Message----- From: cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of Tony Rutkowski Sent: Friday, October 16, 2015 10:45 AM To: Terry MacDonald Cc: Jordan, Bret; cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Items in scope vs out of scope Hi Terry, Your concerns certainly reflect those of many in the community. On the other hand, there are arguably more ubiquitous TAXII use cases where EVcerts have a value proposition. Perhaps this all gets folded into the trust model options. --tony On 2015-10-15 7:14 PM, Terry MacDonald wrote: > I personally don't hold a lot of value in the use of EV Certs. > Certificate Authorities have a long history of getting social > engineered, hacked, and so forth. I think if people are super > concerned with validation of certificates then that will happen either > with phone calls to repeat the fingerprints of certs, or for super > secret trustgroups people will use their own shared PKI solution (e.g. > separate offline trustgroup root cert, with a trustgroup run issuing > server for all participants). Vendors will of course issue client > certs through their vendor portals, or just accept the user auth as > confirmation of the TAXII clients identity. > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]