Re: Was this
Do not blame Ericsson here.
UK telco operations have a well established and entrenched fear of certificates for anything.
Once upon a time, before I went back to write software, I still did network architecture including security aspects. So while working in a major UK telco I proposed the idea of certificates everywhere for purposes of inventory, identification and security of provisioning. I was freshly out of a vendor where I did most of the design and implementation of a x509 retrofit into everything and they became the foundation of how the system fits together. So I was expecting some questions or a technical discussion.
I got none.
The faces around the table looked like they were a still frame from The Shining. They looked at the idea like I was serving a disemboweled body with maggots and suggesting they eat it. They were horrified at the idea despite having less than 60% accurate inventory and a long standing requirement to secure key aspects of the network management.
This fear has its roots in incidents like the one in O2. It is also the root cause of incidents like O2.
UK telcos (and most telcos in general) fail to understand the most basic principle of using X509 for infrastructure purposes.
It is: YOU RUN YOUR OWN CA. No vendor roots. The root is yours. And so are ALL certs.
Because they do not understand it and fear it, they either use vendor certs (which expire at the most unfortunate moment) or outsource it to an external CA which defeats the purpose of the exercise as you are no longer in control of your network. Either one of these results in an incident like O2 which in turn results in more fear, more vendor use and more outsourcing.
Ad naseum, rinse repeat.
Oh, and by the way, no lessons will be learned from this incident - O2 will NOT start running its own CA as it should.
Biting the hand that feeds IT
