December 8, 2022

Archives for March 2012

My Public Comments to the CA/Browser Forum Organizational Reform Working Group

Today, I submitted public comments to the CA/Browser Forum. CA/B Forum is an industry group started by Certificate Authorities — the companies that sell digital certificates to web sites so that your browser can encrypt your communications and can tell you whether it’s connecting to the genuine site. It is important that CAs do a good job, and there have been several examples of Bad Guys getting fraudulent certificates for major web sites recently. You can read the comments below, or download a pretty PDF version.

Public Comments to the CA/Browser Forum Organizational Reform Working Group
March 30, 2012

I am pleased to respond to the CA/Browser Forum’s request for comments on its plan to establish an Organizational Reform Working Group.[1] For more than a decade, Internet users have relied upon digital certificates to encrypt and authenticate their most valuable communications. Nevertheless, few users understand the technical intricacies of the Public Key Infrastructure (PKI) and the policies that govern it. Their expectations of secure communication with validated third-parties are set by the software that they use on a daily basis–typically web browsers–and by faith in the underlying certificates that are issued by Certificate Authorities (CAs). CAs and browser vendors have therefore been entrusted with critically important processes, and the public reasonably relies on them to observe current best practices and to relentlessly pursue even better practices in response to new threats.

[Read more…]


Professor Ed Felten, while on loan to the Federal Trade Commission for 2011 and Spring 2012, has a new Tech Policy Blog, Tech@FTC. When he’s in his role as Chief Technologist of the FTC, he’ll blog there; when he’s wearing his regular hat as Professor of Computer Science and Director of the Center for Information Technology Policy, he’ll blog here at freedom-to-tinker.

Of course, the big news from the FTC this week is the official report, Protecting Consumer Privacy in an Era of Rapid Change, and I see that Ed has something to say about that. But he’s also got an article about SQL injection and our friend, little Bobby Tables.

Join Us at Princeton Tomorrow for "Copyright Cat-and-Mouse: New Developments in Online Enforcement"

Tomorrow afternoon, the Center for Information Technology Policy is hosting an event that looks at the state of online copyright enforcement and the policy perspectives of the parties involved. We’ve got a great lineup, with folks from the content industry, internet service providers, web companies, academics, and the press.

Date: Tuesday, March 13, 2012
Time: 1:00 PM – 5:00 PM
Location: The Friend Center, Princeton University, Convocation Room

[Update: Video of the event is now available.]

Don't Upset the Intellectual Property Fashion Police

A student group at the University of Pennsylvania Law School has put together a fantastic symposium on the state of fashion law, but along the way they (allegedly) snagged themselves on Louis Vuitton’s trademarks. After creating a poster with a creative parody of the Louis Vuitton logo, they received a Cease & Desist letter from the company’s attorneys claiming:

While every day Louis Vuitton knowingly faces the stark reality of battling and interdicting the proliferation of infringements of the LV Trademarks, I was dismayed to learn that the University of Pennsylvania Law School’s Penn Intellectual Property Group had misappropriated and modified the LV Trademarks and Toile Monogram as the background for its invitation and poster for the March 20, 2012 Annual Symposium on “IP Issues in Fashion Law.”

[Read more…]

DHS OIG study of scanners silent on computer threats

The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as what it doesn’t, mostly focusing on issues of incremental risk to the traveling public, the large number of repair services, and the lack of data analyzing whether the machines serve their claimed purpose. (The report does not address millimeter wave machines, which most scientists believe are safer.)

But what’s surprising in both the report and the critiques about it is that they have only discussed the radiation aspects when used as intended, and not the information systems embedded in the devices, or what happens if the scanners are used in unintended ways, as could happen with a computer system malfunction. Like any modern system, the scanners almost certainly have a plethora of computer systems, controlling the scanning beam, analysis of what the beam finds, etc. It’s pretty likely that there’s Windows and Linux systems embedded in the device, and it’s certain that the different parts of the device are networked together, for example so a technician in a separate room can see the images without seeing the person being scanned (as TSA has done to head off the complaints about invasion of privacy).

[Read more…]