<p> The recently described TLS Authentication Gap represents one of the most complex security disclosure processes in recent years. Because the flaw had been present since the early days of SSL, a great many products were affected. As a bug in a protocol (rather than a flawed implementation), there was no easy way to roll out a quick fix. Furthermore, because the protocol is generally implemented in a library, a long dependency chain of software and hardware had developed over the years, with interesting interactions between open-source libraries and downstream commercial software. In some cases, open-source products were in direct market competition with commercial counterparts that depended on them. Interoperability of the proposed solution was a major concern.<br><br>To address these and other issues, the authors undertook one of the most ambitious private disclosures on record, including representatives from the largest commercial software vendors, the largest open-source projects, the IETF, and others in secret. The working group arrived at a solution and was on the path toward implementation when the flaw was independently discovered and...<br><br>In this talk, the authors will discuss the discovery of the flaw, provide a technical overview and demonstrations, and then walk through the rationale and lessons learned in coordinating this disclosure.</p>
Since 2004, Matt Blaze has been a computer science professor at the University of Pennsylvania; prior to that, he spent a dozen years on the research staff of AT&T (Bell) Labs. Matt's work focuses on cryptography and its applications, trust management, physical and human scale security, designing secure systems, and networking and distributed computing. He's particularly interested in security related to public policy, such as cryptography policy (key escrow), wiretapping and surveillance, electronic voting, and secrecy in science.</p>