I previously commented on Verisign's incredulity at the fact that the researchers who produced a phoney SSL certificate didn't put them in the loop prior to public disclosure of their research.
It appears this incredulity has produced a bit of a debate. I'm linking Rob Graham who weighed in the subject:
The researchers behaved perfectly and responsibly. Their worry about being suppressed was justified, and their secrecy was an appropriate response. The very fact that Versign could quickly fix the problem in a day, but malicious hackers would need at least a month to replicate the feat, means that notifying Verisign ahead of time wasn't needed.
He links to a post from Alexander Sotirov who also took issue with Verisign's position:
In a recent post on his company blog, Verisign's vice president of marketing Tim Callan commented on the disclosure of our MD5 collision attack:
VeriSign did not receive any of [the] information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning.
I feel that this statement is inaccurate. Not only did we contact Verisign before our presentation to let them know about our research, we also strongly advised them to stop using MD5 as soon as possible and were given a chance to review their mitigation plans.
Callan responded in the thread on his blog.
Here are the facts as I understand them.
- The "trusted intermediary" was under a strict NDA with you and didn't feel it could reveal anything that was actually actionable or useful. Your NDA prevented the intermediary from telling us what would be announced, by whom, or when.
- You didn't invite us to view the presentation in person or on the webcast. Had VeriSign not discovered by other means that this presentation was coming, we may not have had the opportunity to hear what you had to say until after the fact.
- In addition to Microsoft and Mozilla, at a bare minimum you briefed The Washington Post, Wired Magazine, CNET, and IDG News Service prior to your announcement. You also briefed one or more active security bloggers. Based on the reports from these people, it appears that you obtained promises from them not to share with us either.
- You stood on stage in front of a room full of people and explained that you had actively sought to prevent us from finding out. You had a slide thanking the lawyers who helped you prevent us from finding out.
- VeriSign acquired the RapidSSL product line as part of its acquisition of GeoTrust in September of 2006. That's when we began our process of learnin... [ Read More (0.2k in body) ]