You do not need a private key to revoke a certificate. You need the certificate serial number.
As a reseller, they wouldn't have any legal right to revoke the certificate without customer permission -- that should be an act of the CA.
Notice how in the article that DigiCert Demanded Proof of the compromise?
Hopefully now that this has happened: DigiCert will be more reluctant to permit this reseller in the future to have their own custom ordering process --- I would say they should suspend this reseller until they agree to a contract addendum that they will neither generate nor obtain or store private keys for customer certificates.
During much of the winter, all cars in the snowy parts of the U.S. are exactly the same color as the road and all other objects in sight.
That's called hazardous driving conditions. And self-driving cars are not necessarily ready for all hazardous driving conditions, but one thing's for sure..... vehicles whether self-driving or not should be moving at reduced speeds for conditions. If conditions are snowy or icy such that cars are being coverred: there shouldn't be any vehicles exceeding 30 Miles per Hour.
The "issues with trailers blending into the sky" were at great distance under normal driving conditions on the highway, E.g. 75 Miles per Hour on a clear day.
Things would have very likely turned out quite differently if driving conditions were hazardous snowy, and the self-driving car was traveling the highway at 25 MPH, and working to identify potential obstacles concealed
by snow.
No... it is NOT appropriate for a CA or a reseller of a CA to retain customers' private keys in the first place --- it is even MORESO inappropriate for a CA to deliberately extract and use in any manner for any purpose a customer's private key from "secure cold storage" without that customer's specific authorization.
Basically this changed the situation from "There are security concerns related to this certificates", to --- This CA reseller deliberately compromised the security of their customer's certificates by appropriating their private keys during the ordering process and then later transmitting them insecurely over the internet.
In this case, MS US owns MS Ireland. Legal authority exists as part of those ownership rights.
Perhaps MS US owns MS Ireland, BUT Legal authority does not extend into breaking the law.
If it would be a violation of the laws in Ireland for MS Ireland to transfer the data outside of Ireland, then not even the owner of MS Ireland has the legal authority to do so, even if they might have means of physically coercing MS Ireland to break the law; doing so would by definition be an unlawful attempt to exercise authority.
The thing to watch for is if gasoline prices drop because of that then ICE cars become more cost-competitive against EVs than they were before.
Which would result in demand for ICE cars increasing until the number of ICE cars causes gasoline prices to rise again, and eventually an equilibrium is reached.
OR states could start increasing tax on gasoline fuel for on-road purposes in order to offset the decrease in price.
In this case, the court would order MS US to give effect to the order, and MS US would either have to order/discipline/fire people at MS Ireland until they complied
But since MS US does not have any legal authority over MS Ireland; it's a moot point; Microsoft US has no capability to "order", "discipline", or "fire people" in the other business unit.
they will still need to sign legal documents and even use a stylus for the electronic credit card reader.
Legal paper documents can be signed by a stamp, a thumbprint, or a crudely drawn figure with no need for handwriting. BUT Legal paper documents are going away --- by the time today's kids are 18, to sign a document: you'll probably swipe your driver's license and just scan a finger to create your unique digital imprint.
All the electronic-sign credit card readers i've encountered let you sign with a few strokes of your index finger.
And the requirement is being phased out for EMV chip cards --- the formality of "signing the receipt" is being eliminated by Visa and well on the road towards completely going away already, and by the time today's kids are 18 you won't have to sign any CC receipts.
On extremely rare occassions, you might sign a check perhaps ---- but a lot of people don't even carry those or ever use them anymore. Ultimately cryptocurrencies could replace these; again, Today's kids probably won't be using them, and by the time they're 18 they may no longer exist.
An analogous example is the tesla crash where supposedly the color of the trailer too closely matched the sky
Honestly... we should have a law that large vehicles must have sides that are Distinctly colored from the environment with bright "Blue" or "White" colors specifically banned, so they are visible at maximal range, even to a computer.
If these are the only tasks that they ever perform regarding the vehicle, then No.
But we still might want to require even riders show they have a minimum of survival skills before they're allowed to direct a vehicle to a location; in order to be licensed as a "Safe rider" ---- that would include education in what to do in the event of a breakdown for their model of vehicle, and Rider safety rules such as Must buckle seatbelts.
What? Owners of regular manually driver cars aren't required to have driver's licenses.
That may be true if they don't drive the vehicle, but they're still required to have liability insurance that covers the vehicle in order to register the vehicle at the DMV and proof of insurance these days has to be shown every time you get inspection stickers updated --- one of the first things they ask you getting insurance on the vehicle is to see your driver's license.
A skill that was once necessary for learning and communication no longer is. Electronic media has replaced pen and paper, so the skill to hold a pen isn't particular useful, except perhaps as an input device to aid in artistic creativity.... I don't see graphics artists turning in their stylus and drawing tablets for a touchscreen, but other than that.... Pens are soon to be extinct
Absent this worst-case scenario, all of these checks are serialized, at least doubling the time it takes to connect.
This is why operating systems cache CRLs for weeks; to avoid serialization of CRL check with requests. The issue is similar for running programs VS visiting a website, except users expect programs to launch even faster, AND even While offline or disconnected to the internet, So the system has even LESS time to check for revocation on a code certificate.
The PKI standards were simply Not designed in a way to handle revocation in an acceptable manner for end-user computing, thus Revocation checks are widely delayed or permitted to fail ------ If you want to revoke a cert AND have high effectiveness, then this needs to be a high-profile revocation with an announcement, And a software update for certificate blacklisting that users and administrators are alerted to apply to their systems quickly.
The CRL URL is almost certainly https
No. From what I see; most of the time the CRL URL is most certainly non-HTTPS. It makes sense..... ultimately there would be a circular dependency if CRL servers were HTTPS. Also, when the CRL is a HTTP file -- the file being downloaded generally has to be signed by the CA itself; one of the cool things about OCSP (for CA's that support) is the CA can delegate a separate certificate to handle revocations through the OCSP server, so the CA certificate does not have to be kept online to sign every new CRL.
Isn't that the whole basis of the trust systems response? Is that certs can be revoked?
The Revokation mechanism is desgined to help with the rare case that the code signer's public key is compromised. It's NOT designed to facilitate the CA doing safety reviews on code they've signed to identify it as malware and cancel the signature.
For performance reasons.... the Valid/Revoked status is generally cached at a minimum, for example, and some clients won't necessarily even check for revokation without a patch/upgrade being sent out to manually blacklist the cert --- the HARD end date on a cert is the expiration date on the cert;
and revokation is not a very dependable facility; at least not without additional measures.
Clients may choose to conduct business with other market participants who engage in business or offer products in areas we deem speculative or risky, such as cryptocurrencies
They're basically talking about BoA's choice to BAN customers using a portion of their own money taken from their deposits with BoA to buy or sell Crypto from/to a crypto exchange. BECAUSE Clients may choose to conduct this business, these clients may close their BoA accounts and/or move their funds to a BoA competitor; as a result of BoA's policy which restricts their clients' use of their clients' deposits ---- Basically Clients may choose to conduct business.... Meaning they WILL NOT tolerate BoA's Attempt to RESTRICT customers from using customers' own moneywith business in areas "BoA deems too risky or speculative" to allow business, and basically say F**** YOU to BoA for trying to impede their business with those speculative exchanges.
I think YEAH.... BoA should definitely list that as a risk, and I hope more and more customers will wake up to BoA's shady practices and unreasonable/arbitrary policies and restrictions on customers' use of funds
Not Gitmo.... but I agree the fact that traditionally replaceable commodity parts, especially consumables are permanently installed --- should be considered a deliberate design defect AKA intentionally built to fail, AND Apple should be required to compensate consumers for the additional costs; for example if you purchase a new NVMe, then Apple should be required to install the module free of charge, including performing all necessary solder work, and warranting that work for an unlimited time period.
You get three strikes over two years, then you get fined $200.
With the current level of fines it's $250 after 3 calls, so Apple's 20 bogus calls a day will only cost them 150,000 a month. Since that's not stopping them, either (A) They aren't being given the proper fine, or (B) Apple considers it just a cost of doing business --- not a large enough fine to justify any changes.
Thus why when the government FINES a business they oughta add a GROSS REVENUE clause. If either your annual gross income or gross revenue exceeds $1 Million per Year, then the fine will instead be the greater of 10 Times the normal amount AND 0.1% of your gross sales and 0.1% of your gross earnings
I don't think that butt-dialing would qualify as "knowingly allowing the use".
Butt dialing once would not qualify as knowingly, BUT that excuse only works once --- if the incident repeats however After you were verifiably notified that it is occurring, then further buttdial calls after notice will be KNOWINGLY, because you know your phone is making 911 calls and failed in a duty to stop it ---- so you better make some adjustments to ensure further butt dials cannot happen, FOR EXAMPLE: Lock your phone before you stick it in your butt pocket.
Both imply intent and deliberate action, neither of which is going to be the case.
NOPE --- Knowingly includes INACTION or failure to prevent after you have been given notice of an ongoing, continued, or repeated inaction; it's happening 20 times a day, s othere's absolutely Zero way they could claim this is not happening knowingly.... Maybe Apple can afford the $250/Call fine and it isn't enough to justify them fixing it ----- then I would suggest they escalate the fine to $2500/Call after the number of calls exceeds about 100.
If the police inform you that a 911 call is coming from your house every day, then further calls are Knowingly, And you have a lawful duty to prevent further false calls --- even if that means you have to turn off or permanently disable
a broken phone errantly making false to accomplish that, otherwise you are Knowingly and willfully making the further violations that occur after you have been Made aware by notice.
So the solution to the problem is to double down on the already absurd overuse of police force that the USA suffers from, opening them up to lawsuits from a very wealthy company in the process?
They're not subject to being sued, because police have the power to take actions to stop life-threatening crimes from action, AND criminal actions trump civil actions, so by having a criminal action any attempts to sue them will be rejected or thrown out of court until the criminal actions are resolved.
It's NOT an absurd overuse of police force. It would be, MAYBE if they did it on the first Illegal false 911 call. But over 1600 false 911 calls have been made from this location, and at least 20 a day.
I'm saying on about false call number 20, they need to say ENOUGH OF THAT BULLSHIT; we're going to exercise the government police power to shut you down next call, and use police power to shutdown your facility until you start abiding by the law and make the false calls stop.
There surely are laws about falsely calling 911 repeatedly? If so, do what the law says, fine them, throw them in jail.
What they need to do is next time a false 911 call comes in.... do a dispatch, send a team to the facility. Rope it off. Detain all persons present in the building for questioning.. Nobody may enter or leave this building, until the exact device that made the call is identified
Investigate, make sure the call was false, identify the device.
Seize the device into police custody.
Seize all similar iPhones or smart Watches present and put them into evidence.
Start interviewing witnesses in search for the person who made the false call. If no person could be found, find the highest ranking manager in control over that location and begin arraignment proceedings for false 911 calls.
You're buying it used. If you don't like the warranty, don't buy it. If it fails outside of warranty, well, that's why a warranty has a lifetime.
When you're buying a vehicle from someone used they may NOT withhold information they know about defects or damage to the vehicle, or if it had been flooded or submerged and then fixed up --- or accidents or major damage the vehicle has been repaired from. That would be fraud, which would make this lawsuit reasonable -- if that's what Tesla was doing.
No matter how well the repairs are done the frame is never going to be the same as it was pre-accident. Even if everything looks perfect the frame could be out of specifications
EXACTLY if damage was done to the vehicle after construction but before delivery, then this is an accident --- and is required to be disclosed; repairing all the non-functioning and aesthetically damaged elements does not mean the vehicle has been fully restored to Pre-Damage specifications.
Slashdot Mirror
You do not need a private key to revoke a certificate. You need the certificate serial number.
As a reseller, they wouldn't have any legal right to revoke the certificate without customer permission -- that should be an act of the CA.
Notice how in the article that DigiCert Demanded Proof of the compromise?
Hopefully now that this has happened: DigiCert will be more reluctant to permit this reseller in the future to have their own custom ordering process --- I would say they should suspend this reseller until they agree to a contract addendum that they will neither generate nor obtain or store private keys for customer certificates.
During much of the winter, all cars in the snowy parts of the U.S. are exactly the same color as the road and all other objects in sight.
That's called hazardous driving conditions. And self-driving cars are not necessarily ready for all hazardous driving conditions, but one thing's for sure..... vehicles whether self-driving or not should be moving at reduced speeds for conditions. If conditions are snowy or icy such that cars are being coverred: there shouldn't be any vehicles exceeding 30 Miles per Hour.
The "issues with trailers blending into the sky" were at great distance under normal driving conditions on the highway, E.g. 75 Miles per Hour on a clear day.
Things would have very likely turned out quite differently if driving conditions were hazardous snowy, and the self-driving car was traveling the highway at 25 MPH, and working to identify potential obstacles concealed
by snow.
No... it is NOT appropriate for a CA or a reseller of a CA to retain customers' private keys in the first place --- it is even MORESO inappropriate for a CA to deliberately extract and use in any manner for any purpose a customer's private key from "secure cold storage" without that customer's specific authorization.
Basically this changed the situation from "There are security concerns related to this certificates", to --- This CA reseller deliberately compromised the security of their customer's certificates by appropriating their private keys during the ordering process and then later transmitting them insecurely over the internet.
In this case, MS US owns MS Ireland. Legal authority exists as part of those ownership rights.
Perhaps MS US owns MS Ireland, BUT Legal authority does not extend into breaking the law.
If it would be a violation of the laws in Ireland for MS Ireland to transfer the data outside of Ireland, then
not even the owner of MS Ireland has the legal authority to do so, even if they might have means of physically coercing MS Ireland to break the law; doing so would by definition be an unlawful attempt to exercise authority.
The thing to watch for is if gasoline prices drop because of that then ICE cars become more cost-competitive against EVs than they were before.
Which would result in demand for ICE cars increasing until the number of ICE cars causes gasoline prices to rise again, and eventually an equilibrium is reached.
OR states could start increasing tax on gasoline fuel for on-road purposes in order to offset the decrease in price.
In this case, the court would order MS US to give effect to the order, and MS US would either have to order/discipline/fire people at MS Ireland until they complied
But since MS US does not have any legal authority over MS Ireland; it's a moot point; Microsoft US has no capability to "order", "discipline", or "fire people" in the other business unit.
they will still need to sign legal documents and even use a stylus for the electronic credit card reader.
Legal paper documents can be signed by a stamp, a thumbprint, or a crudely drawn figure with no need for handwriting.
BUT Legal paper documents are going away --- by the time today's kids are 18, to sign a document: you'll probably swipe your driver's license and just scan a finger to create your unique digital imprint.
All the electronic-sign credit card readers i've encountered let you sign with a few strokes of your index finger.
And the requirement is being phased out for EMV chip cards --- the formality of "signing the receipt" is being eliminated by Visa and well on the road towards completely going away already, and by the time today's kids are 18 you won't have to sign any CC receipts.
On extremely rare occassions, you might sign a check perhaps ---- but a lot of people don't even carry those or ever use them anymore.
Ultimately cryptocurrencies could replace these; again, Today's kids probably won't be using them, and by the time they're 18 they may no longer exist.
An analogous example is the tesla crash where supposedly the color of the trailer too closely matched the sky
Honestly... we should have a law that large vehicles must have sides that are Distinctly colored from the environment with bright "Blue" or "White" colors specifically banned, so they are visible at maximal range, even to a computer.
If these are the only tasks that they ever perform regarding the vehicle, then No.
But we still might want to require even riders show they have a minimum of survival skills before they're allowed to direct a vehicle to a location; in order to be licensed as a "Safe rider" ---- that would include education in what to do in the event of a breakdown for their model of vehicle, and Rider safety rules such as Must buckle seatbelts.
What? Owners of regular manually driver cars aren't required to have driver's licenses.
That may be true if they don't drive the vehicle, but they're still required to have liability insurance that covers the vehicle in order to register the vehicle at the DMV and proof of insurance these days has to be shown every time you get inspection stickers updated --- one of the first things they ask you getting insurance on the vehicle is to see your driver's license.
A skill that was once necessary for learning and communication no longer is.
Electronic media has replaced pen and paper, so the skill to hold a pen isn't particular useful,
except perhaps as an input device to aid in artistic creativity.... I don't see graphics artists turning in their stylus and drawing tablets for a touchscreen,
but other than that.... Pens are soon to be extinct
Absent this worst-case scenario, all of these checks are serialized, at least doubling the time it takes to connect.
This is why operating systems cache CRLs for weeks; to avoid serialization of CRL check with requests.
The issue is similar for running programs VS visiting a website, except users expect programs to launch even faster, AND
even While offline or disconnected to the internet, So the system has even LESS time to check for revocation on a code certificate.
The PKI standards were simply Not designed in a way to handle revocation in an acceptable manner for end-user computing, thus Revocation checks
are widely delayed or permitted to fail ------ If you want to revoke a cert AND have high effectiveness, then this needs to be a high-profile revocation with
an announcement, And a software update for certificate blacklisting that users and administrators are alerted to apply to their systems quickly.
The CRL URL is almost certainly https
No. From what I see; most of the time the CRL URL is most certainly non-HTTPS.
It makes sense..... ultimately there would be a circular dependency if CRL servers were HTTPS.
Also, when the CRL is a HTTP file -- the file being downloaded generally has to be signed by the CA itself;
one of the cool things about OCSP (for CA's that support) is the CA can delegate a separate certificate to handle revocations through the OCSP server,
so the CA certificate does not have to be kept online to sign every new CRL.
Coming to a patent office near you... .... (By deleting inactive accounts)
METHOD OF REDUCING server disk space consumption for an online service
Isn't that the whole basis of the trust systems response? Is that certs can be revoked?
The Revokation mechanism is desgined to help with the rare case that the code signer's public key is compromised. It's NOT designed to facilitate the CA doing safety reviews on code they've signed to identify it as malware and cancel the signature.
For performance reasons.... the Valid/Revoked status is generally cached at a minimum, for example, and some clients won't necessarily even check for revokation without a patch/upgrade being sent out to manually blacklist the cert --- the HARD end date on a cert is the expiration date on the cert;
and revokation is not a very dependable facility; at least not without additional measures.
Clients may choose to conduct business with other market participants who engage in business or offer products in areas we deem speculative or risky, such as cryptocurrencies
They're basically talking about BoA's choice to BAN customers using a portion of their own money taken from their deposits with BoA to buy or sell Crypto from/to a crypto exchange. BECAUSE Clients may choose to conduct this business, these clients may close their BoA accounts and/or move their funds to a BoA competitor; as a result of BoA's policy which restricts their clients' use of their clients' deposits ---- Basically Clients may choose to conduct business.... Meaning they WILL NOT tolerate BoA's Attempt to RESTRICT customers from using customers' own moneywith business in areas "BoA deems too risky or speculative" to allow business, and basically say F**** YOU to BoA for trying to impede their business with those speculative exchanges.
I think YEAH.... BoA should definitely list that as a risk, and I hope more and more customers will wake up to BoA's shady practices and unreasonable/arbitrary policies and restrictions on customers' use of funds
Not Gitmo.... but I agree the fact that traditionally replaceable commodity parts, especially consumables are permanently installed --- should be considered a deliberate design defect AKA intentionally built to fail, AND Apple should be required to compensate consumers for the additional costs; for example if you purchase a new NVMe, then Apple should be required to install the module free of charge, including performing all necessary solder work, and warranting that work for an unlimited time period.
You get three strikes over two years, then you get fined $200.
With the current level of fines it's $250 after 3 calls, so Apple's 20 bogus calls a day will only cost them 150,000 a month. Since that's not stopping them, either (A) They aren't being given the proper fine, or (B) Apple considers it just a cost of doing business --- not a large enough fine to justify any changes.
Thus why when the government FINES a business they oughta add a GROSS REVENUE clause. If either your annual gross income or gross revenue exceeds $1 Million per Year, then the fine will instead be the greater of 10 Times the normal amount AND 0.1% of your gross sales and 0.1% of your gross earnings
I don't think that butt-dialing would qualify as "knowingly allowing the use".
Butt dialing once would not qualify as knowingly, BUT that excuse only works once --- if the incident repeats however After you were verifiably notified that it is occurring, then further buttdial calls after notice will be KNOWINGLY, because you know your phone is making 911 calls and failed in a duty to stop it ---- so you better make some adjustments to ensure further butt dials cannot happen, FOR EXAMPLE: Lock your phone before you stick it in your butt pocket.
Both imply intent and deliberate action, neither of which is going to be the case.
NOPE --- Knowingly includes INACTION or failure to prevent after you have been given notice of an ongoing, continued, or repeated inaction; it's happening 20 times a day, s othere's absolutely Zero way they could claim this is not happening knowingly.... Maybe Apple can afford the $250/Call fine and it isn't enough to justify them fixing it ----- then I would suggest they escalate the fine to $2500/Call after the number of calls exceeds about 100.
If the police inform you that a 911 call is coming from your house every day, then further calls are Knowingly, And you have a lawful duty to prevent further false calls --- even if that means you have to turn off or permanently disable
a broken phone errantly making false to accomplish that, otherwise you are Knowingly and willfully making the further violations that occur after you have been Made aware by notice.
Happening ONCE a year is an "accident"
Happening ONCE a quarter is negligence.
Happening ONCE a month is gross-negligence -- should result in fines
Happening ONCE a week is willful violation -- should result in major fines
Happening ONCE a day is gross violation -- should result in escalating response
Happening MORE THAN ONCE a day should have police putting potentially responsible people in jail and asking questions later.
So the solution to the problem is to double down on the already absurd overuse of police force that the USA suffers from, opening them up to lawsuits from a very wealthy company in the process?
They're not subject to being sued, because police have the power to take actions to stop life-threatening crimes from action, AND criminal actions trump civil actions, so by having a criminal action any attempts to sue them will be rejected or thrown out of court until the criminal actions are resolved.
It's NOT an absurd overuse of police force. It would be, MAYBE if they did it on the first Illegal false 911 call.
But over 1600 false 911 calls have been made from this location, and at least 20 a day.
I'm saying on about false call number 20, they need to say ENOUGH OF THAT BULLSHIT; we're going to exercise the government police power to shut you down next call, and use police power to shutdown your facility until you start abiding by the law and make the false calls stop.
There surely are laws about falsely calling 911 repeatedly? If so, do what the law says, fine them, throw them in jail.
What they need to do is next time a false 911 call comes in.... do a dispatch, send a team to the facility.
Rope it off. Detain all persons present in the building for questioning.. Nobody may enter or leave this building, until the exact device that made the call is identified
Investigate, make sure the call was false, identify the device.
Seize the device into police custody.
Seize all similar iPhones or smart Watches present and put them into evidence.
Start interviewing witnesses in search for the person who made the false call. If no person could be found, find the highest ranking manager in control over that location and begin arraignment proceedings for false 911 calls.
You're buying it used. If you don't like the warranty, don't buy it. If it fails outside of warranty, well, that's why a warranty has a lifetime.
When you're buying a vehicle from someone used they may NOT withhold information they know about defects or damage to the vehicle, or if it had been flooded or submerged and then fixed up --- or accidents or major damage the vehicle has been repaired from.
That would be fraud, which would make this lawsuit reasonable -- if that's what Tesla was doing.
No matter how well the repairs are done the frame is never going to be the same as it was pre-accident. Even if everything looks perfect the frame could be out of specifications
EXACTLY if damage was done to the vehicle after construction but before delivery, then this is an accident --- and is required to be disclosed; repairing all the non-functioning and aesthetically damaged elements does not mean the vehicle has been fully restored to Pre-Damage specifications.