-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2/21/2011 1:54 PM, Adam Langley wrote:
"Internet Widgits Pty Ltd" is the OpenSSL default. "Hewlett-Packard Co." are JetDirect printers. "Fortinet Ltd." is some gateway manufacturer.
Tor doesn't have to pick a single type I believe. It could pick between some number of templates at first-run (although Forinet tend to be 2048-bit and HP are 1024-bit).
Any time we define a single list of cert templates like this and choose from among them, we're creating an easy set of items which can be blocked. As I mentioned in my earlier posting today [1], I strongly doubt that an oppressive regime's censors are going to care if they block JetDirect printers or home routers as collateral damage when blocking Tor. Even if they do, what does this actually gain us over randomized organization names chosen from a large wordlist (or even total gibberish)?
Any static list is going to, by definition, have to exist within the source code, and thus will be very easy for an even moderately determined censor to find. If we're going to do that we had better be doing it with something that we know will cause massive collateral damage and thus would be much more likely to be avoided; I just don't see that happening with any of these devices.
Regards, Tim
[1] https://lists.torproject.org/pipermail/tor-dev/2011-February/000005.html
- -- Tim Wilde, Senior Software Engineer, Team Cymru, Inc. twilde@cymru.com | +1-630-230-5433 | http://www.team-cymru.org/