cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CraginS
Defender I

Mis-Used Term on (ISC)2 Site - "Digital Certificate"

This note is a request for the (ISC)2 staff to correct an error on the main isc2.org Members Only drop down from the home page.

 

Under the first column is the term Digital Certificates. Clicking on that term leads to a file download window, allowing download of a PDF file of the member's (ISC)2 Certification certificate.

Please change that phrase to Download Your Certificate as PDF.

 

Within the infosec community the term digital certificate has a very specific technical meaning with regard to the world of Public Key Infrastructure (PKI), asymmetric encryption, server certificates for Transport Layer Security (TLS), and digital signatures (not to be confused with electronic signatures). A major portion of our (ISC)2 membership deals directly with those PKI issues regularly, and has locked in on the technical definition. As a result, most of us see that item and think that (ISC)2 is running a Certification Authority (CA) server, and can issue PKI certificates to members, suitable for digitally signing and encrypting e-mail and other documents. Obviously, not so.

 

Since the term is used on a part of the (ISC)2 site accessible only to registered site users, that is members and certification aspirants, we should be using the correct terminology there, and not misleading members expecting a true PKI-based digital certificate.

 

Thank you.

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
26 Replies
Early_Adopter
Community Champion

@crystal_waston

 

In this case the term was ‘Digital Cetificate’ that has a formal meaning as part of a PKI. So it’s a bit funny the ISC2 uses it for something else - English is ambiguous for sure, but we shouldn’t let it get away with everything.

 

If you’re suggesting a digital badge as an alternative name for the PDF formatted certification certificate then ISC2 already have those from ‘Acclaim’.

 

We have a whole set of discourse  on the merits of the acclaim badges, as well as the those awarded by the site for participation...

 

 

CraginS
Defender I

@crystal_waston

@Early_Adopter

 

Let's not confuse three different items:

1. The Acclaim badge is a third-party authenticated confirmation that an individual holds a certification (CISSP, etc.) from (ISC)2. It is not a PDF file. It is an html code item that links back to the Acclaim web site.

 

2. A digital certificate is a crytpographically signed digital object issued as part of a public key infrastructure that includes identification data for a human or logical entity along with the public key(s) of that entity. It is a core part of the PKI environment, and used for both digital signatures and object decryption.

 

3. What (ISC)2 has erroneously called a digital certificate is nothing more than a PDF file of the frameable certificate issued to individuals holding certifications from (ISC)2.

 

As far as the utility of the Acclaim badge, the attempt to obtain evidence that it is useful or has ever been used effectively has drawn nothing but crickets from the Community:

https://community.isc2.org/t5/Certifications/Utility-of-Acclaim-Certification-Badges/m-p/14542

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Early_Adopter
Community Champion

@CraginS I think we’re in agreement, I did edit my post somwhat for readability(auto-correct  is a terrible thing.)

 

I took @crystal_waston to be suggesting ‘a digital badge’ as an alternative to the originally mis-named digital certificates(your digital version of your ISC2 certificate providing your certification), and we’ve already got those form acclaim, we don’t really really need another. Then we’ve the forum badges.

 

On utility of the acclaim badges, maybe machines and people acting like machines can use it to verify a credential more quickly, but I think everyone has agreed that they are a bit rubbish and we all know who to blame:

 

https://www.youracclaim.com/org/microsoft-certification*

 

Personally I think ‘Acclamation’ is best reservered for something a bit better than professional certification, I’d say ‘Good job fella’ or similar, and reserve more effusive praise for unique achievements. Interestingly the domain ‘acclaim.com’ was not used as it had been used by a games developer and was opened by someone else.

 

* Ok, probably not true as there are lots of other vendors using these, but I figure that there is a certain driving factor on these and others.

 

 

rslade
Influencer II

> CraginS (Contributor II) posted a new reply in Member Support on 09-29-2018

> @crystal_waston @Early_Adopter   Let's not confuse three different items:

Hey, guys, I wouldn't bother arguing with or correcting "@crystal_waston." Like
"@nancy_perez" I'm pretty sure he/she/it is a bot.

Note that "nancy," in answering a question about "CISSP-Passed- Sharing"
https://community.isc2.org/t5/Certifications/CISSP-Passed-Sharing/m-
p/13586/highlight/true#M2744
says "Certified Information Systems Security Professional is an independent
information security certification granted by the International Information
System Security Certification Consortium, also known as (ISC)²."

"Crystal," in addressing the topic of "New exam format for CISSP"
https://community.isc2.org/t5/Member-Support/New-exam-format-for-CISSP/m-
p/15015/highlight/true#M2890
says "Certified Information Systems Security Professional is an independent
information security certification granted by the International Information
System Security Certification Consortium, also known as (ISC)². "

While it may not be apparent to the casual reader, those with keenly sharpened
senses and a background in forensic linguistics will note the subtle similarities in
structure and vocabulary.

You can check out further evidence by checking "nancy's" postings
https://community.isc2.org/t5/user/viewprofilepage/user-id/285512981
and "crystal's"
https://community.isc2.org/t5/user/viewprofilepage/user-id/1092220255

I'm not sure what the purpose of the bots is: at the moment they don't seem to be
doing any harm. They may simply be an experiment in whether they can exist,
undetected, in the "community."

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Life's a bitch ... and then you get reincarnated!!
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Early_Adopter
Community Champion

Yowsers, don’t I just feel that burn? 😉

 

As noted elsewhere, I hadn’t looked at the other posts from Crystal in depth so got suckered in nicely, and the context seemed right for trying to be helpful.

 

On the bright side per your forum post, I will off course be in good standing when our machine overlords take over for assistance rendered...

CraginS
Defender I


@rslade wrote:
Hey, guys, I wouldn't bother arguing with or correcting "@crystal_waston." Like
"@nancy_perez" I'm pretty sure he/she/it is a bot.
...
While it may not be apparent to the casual reader, those with keenly sharpened
senses and a background in forensic linguistics will note the subtle similarities in
structure and vocabulary.

Yeah, I had already noted that all Nancy can do is quote definitionally relevant but otherwise useless content from the (ISC)2 web site. Crystal is a new player in the game.I'd love to learn who is running them both, and why. If either the (ISC)2 staff or the community hosting company is doing so, several employees need to be called in on the carpet. Heck, I'd rather have more conversations with ELIZA (yes, I have chatted with ELIZA) than either of these bots.

 

If, on the other hand, nancy and crystal are part of a university research program AI project, I want a copy of the IRB justification and approval documents from that university.

 

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
rslade
Influencer II

> CraginS (Contributor II) posted a new reply in Member Support on 09-30-2018

> Yeah, I had already noted that all
> Nancy can do is quote definitionally relevant but otherwise useless content from
> the (ISC)2 web site. Crystal is a new player in the game.I'd love to learn who
> is running them both, and why.

>From an overall analysis of both their postings, I suspect it's ISC2's marketing
wing.

> If either the (ISC)2 staff or the community
> hosting company is doing so, several employees meed to be called in on the
> carpet.

Well, I may be overstating it with "bot." Given that various supposedly
automated aspects of the "community" are being handled manually (badges, and
seemingly some CPEs) (and possibly even the "reply via email" function--I'm
starting to have strong suspicions given what does and doesn't make it through ...)
I think these maybe be simply false flag/greenwash accounts that are being used to
post canned/boilerplate marketing pap on various topics.

> Heck, I'd rather have more conversations with ELIZA than either of these
> bots.

I've probably still got a copy of ELIZA around. I remember being amazed at how
small it was.

"Tell me more about 'these bots'."

>   If, on the other hand, nancy and crystal are part of a university
> research program AI project, I want a copy of the IRB justification and approval
> documents from that university.

Would be interesting ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Of course I'm home. I'm always home. I'm uncool.
- Lester Bangs in `Almost Famous'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> Early_Adopter (Advocate I) posted a new reply in Member Support on 09-30-2018

>     As noted elsewhere, I hadn't
> looked at the other posts from Crystal in depth so got suckered in nicely

One of the advantages of the mail interface over the "social media" style Web interface (and one of the reasons I still like CISSPforum over the "community" ...)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

California governor Jerry Brown signed a bill last week that bans automated accounts, more commonly known as bots, from pretending to be real people in pursuit of selling products or influencing elections.

 

Good thing we were only discussing digital certificates, and not the election.

 

(Oh, wait ... we can't discuss the election any more ...)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CraginS
Defender I

 

 

 


@rslade wrote:

California governor Jerry Brown signed a bill last week that bans automated accounts, more commonly known as bots, from pretending to be real people in pursuit of selling products or influencing elections.

 


Reading the act, as linked, it will have only limited application. 

 

"17941.

 (a) It shall be unlawful for any person to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election. A person using a bot shall not be liable under this section if the person discloses that it is a bot.
(b) The disclosure required by this section shall be clear, conspicuous, and reasonably designed to inform persons with whom the bot communicates or interacts that it is a bot."

 

The trick in the wording is "knowingly deceive" which combines with the two alternatives of "purchase or sale" OR "influence a vote." Prosecution will depend on being able to first prove deception, that is, falsehood, and then prove it was done KNOWINGLY.  An untruth told by someone who truly believes the statement is not a lie, even if it does result in deception.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts