[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Keyring content
From:       Charles Mills <charlesm () MCN ! ORG>
Date:       2017-09-02 13:21:16
Message-ID: 053e01d323ee$5ba3b3c0$12eb1b40$ () mcn ! org
[Download RAW message or body]

Agree. Seems like kind of a copout. Customers are paying $$$ not just for
software but for expertise.

I guess a new opportunity for Vanguard and RSM and Hansel and Henderson.

Charles


-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Phil Smith III
Sent: Friday, September 1, 2017 9:17 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: Keyring content

It seems to me that IBM is taking a purist approach: "You should know who
you're talking to". And of course that's hard to argue with from a purist
standpoint.

 

But from a pragmatic standpoint, while that's fine *for professionals who
are qualified to make that decision*, there's a reason that the browsers,
for example, ship with a set of standard root certs: because end-users
aren't qualified to make that decision.

 

I submit that neither are most z/OS systems folks qualified. And that's
where it hews to the bone: if I'm right, then this will net *decrease* z/OS
security, while costing z/OS folks a lot of time-lose/lose. Why? Because
they're going to get hit with "x, y, z, and [a-w] all stopped working" and
scramble to re-add those same certificates, doing so *without analysis*. So
the net is that they'll wind up exactly where they were, at best; at worst,
they'll add a bogus certificate. All with disruption and wasted effort.

 

An alternative approach might be to say "You know, the folks who 'get it'
will already be doing the require analysis." If IBM were to provide a list
of the provided certificates with a cover letter saying "You should
understand this list and delete any that you don't want to trust", then
folks could continue to do so, and a few people would say "Oh, yeah, I
should be doing this" and start. But the rest would continue as they have
been *and would be anyway, after some hassle* -- and without IBM continuing
to erode z/OS by making life more difficult.

 

.phsiii
[prev in list] [next in list] [prev in thread] [next in thread]