On 23/11/11 11:11 AM, Peter Gutmann wrote:
JeffH<jeff.hod...@kingsmountain.com> writes:
Of possible interest:
The weakest link in the chain: Vulnerabilities in the SSL certificate
authority system and what should be done about them
It's not just NGOs that are seeing that browser PKI is "the weakest link in
the chain". I was recently told of someone at a law workshop in which the
topic of browser PKI and DigiNotar came up. In their words, "this was a
roomful of people who couldn't tell you what SSL did, but they'd heard of
DigiNotar". That's a level, and type, of exposure that you really don't want
to get to.
Yeah. Up until now, PKI / secure browsing was tolerated. This
situation can be seen as an expectation or meme or myth in the market
place, where the belief was stable because there was no dis-confirming
information. E.g., no bad news.
Now we have bad news that acts to disconfirm the expectation that secure
browsing delivers some positive result. And, the CAs/vendors have no
good story to tell that would reverse the sense of the bad news.
So a plausible scenario now is that people who otherwise wouldn't care
("tolerate") and don't otherwise know, will start actively bypassing the
system.
Another way of putting it is that in the past, people would use SSL
because secure browsing "is essential" without knowing why. Now, people
will avoid it, citing DigiNotar. Again without knowing why.
This is the problem with a system that doesn't deliver a result that can
be correlated to its claimed purpose. C.f. Dan Geer's comment.
http://financialcryptography.com/mt/archives/001255.html
To live in interesting times!
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography