On 09/24/2010 01:29 PM, Martin Rex wrote: > Peter Saint-Andre wrote: > >> For context, the "quoted advice" is mostly a description of current >> usage in some existing user agents. Incorporating Barry's suggestions, >> that text currently reads as follows in our working copy: >> >> Security Note: Some existing interactive user agents give advanced >> users the option of proceeding despite an identity mismatch. >> Although this behavior can be appropriate in certain specialized >> circumstances, in general it ought to be exposed only to advanced >> users and even then needs to be handled with extreme caution, for >> example by first encouraging even an advanced user to terminate >> the connection and, if the advanced user chooses to proceed >> anyway, by forcing the user to view the entire certification path >> and only then allowing the user to accept the certificate on a >> temporary basis (i.e., for this connection attempt and all >> subsequent connection attempts for the life of the application >> session, but not for connection attempts during future application >> sessions). >> > This whole paragraph is evil and completely wrong. > > It's bad enough that the web browser crowds replaced a useful option > and important security feature with an extremely evil scary page. >
No, this paragraph is exactly what should happen. Click through dialogs are demonsterably useless. They train users to ignore them. The only place for them is if you decide that validation is not necessary. > Offering to end-users, in a single-time-only leap-of-faith approach similar > to what SSH has been successfully doing since its invention to memorize > the peers certificate is magnitudes more secure than the endpoint > identification linking to one of a hundred trust anchors, provisionally > preconfigured by your software supplier. > SSH is good for small numbers of point to point connections where the user controls both sides. SSH model is not appropriate for the general population connection to millions of webservers. That is why SSH is used extensively in admin deployments (where the admin controls both machines) and is not used for e-commerce. If you want that semantic use SSH. If you want security for the masses, use SSL (with full PKI). [ case where SSL is being used for an SSH use case deleted] bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
