One of the items on the SANS list, the Department of Defense’s Common Access Card (CAC), has lead to a 46% reduction of successful intrusions of defense systems.

The success of the CAC program has led to a broader effort to implement similar two-factor authentication systems government-wide under Homeland Security Presidential Directive-12 (HSPD-12), the SANS report said.

Something to keep an eye of for 2008, along with changing credit card rules.

Recently I had a customer ask me When would you recommend an EV Certificate over a standard SSL certificate?

My response was simple: only when the business determines that having the green address bar outweighs the additional cost. The green address bar is looking to replace the gold lock in the bottom right as the standard for secure web sites. The below picture is Microsoft’s demonstration for EV SSL graphical interface:

There is no difference between a $15 GoDaddy Standard SSL certificate and a $1500 Verisign Secure Site Pro with EV certificate, at least thinking about cryptographic strength and browser acceptance. Should there be? Yes, the EV certificate does a stronger check against the issuer and the subject, and gives you the green bar. Is it worth 100x the cost?

The CERIAS Weblog has a post entitled Looking for Trustworthy Alternatives to PDF

I commented on the article but wanted to share my comments here as well.

Then, it became clear that PDFs adopted mixed loyalties and were disloyal to the computer owner by locking features down and phoning home.

Locking features down and phoning home, are not functions of the PDF standard, but rather of the Adobe Reader. There are other reader programs out there which do not lock features, phone home, nor support javascript or downloads of ads. There is a decent list of PDF alternatives here.

Last year Adobe forced Microsoft to pull PDF creation support from Office 2007 under the threat of a lawsuit while asking them to “charge more” for Office”

This is somewhat true, as Microsoft does not include PDF creation in the base installation, but it is still available as an add-on from Microsoft for free.

Whereas it might be possible to use a PDF viewer with limited functionality and not supporting attack vectors, the format has become tainted

Again these are all optional portions of the PDF standard. There is a separate stripped-down PDF standard called PDF/A which removes all the “active” portions of PDFs and the result is a better archival format. More info at http://www.pdfa.org or http://en.wikipedia.org/wiki/PDF/A

I think that the community should be pushing for PDF/A to become the document standard of choice (as it is compatible with the widely used PDF) and to create or buy reader applications which only support the PDF/A standard.

So, Adobe, why don’t we have a PDF/A reader?