I didn't watch the video but I did read what's on the website. My take is that the solution proposed is merely ok. It's not great but it's not terrible either.
Where I would say the idea falls short is in the problem statement. While CA's do make for easy targets of criticism for their central role in establishing security and privacy, their centralization is not the biggest problem we face--certainly not in 2014. It would have been an easier argument to make in 2011(?) but today we know more about the threat landscape out on the Internet. A simple analogy to Convergence is getting the current time. If you see a bank clock that says it's 7:45 do you necessarily believe it? Maybe you know it's always a little fast and -2 minutes is more accurate. What if a minute later it says 53:AA? Maybe you could spend the next 5 minutes searching for other clocks but that doesn't necessarily get you a better result. And probably you aren't running around town trying to get the most accurate time anyway, so who really cares? Again, while the idea itself has merit I don't think pursuing it's standardization and implementation really get us any closer to where we want to be. Original Message From: Daniel Veditz Sent: Tuesday, April 15, 2014 11:09 AM To: nobody; priv...@lists.mozilla.org; dev-secur...@lists.mozilla.org; dev-tech-plug...@lists.mozilla.org; dev-security-policy@lists.mozilla.org; wishl...@lists.mozilla.org; addons-user-experie...@lists.mozilla.org; i...@convergence.io Subject: Re: Convergence. On 4/15/2014 7:43 AM, nobody wrote: > I just wondered... what is the pull back regarding Convergence to put it in > the webbrowsers by default? The main issue is who are the notaries? If they're simply reflecting back "Yup, I see this valid CA cert" then they aren't adding a whole lot of value for the amount of risk they introduce, and if they're making their own judgement about the validity of the certificates on some other ground they just become a type of Certificate Authority themselves. Who pays for that infrastructure, and what is their motive? Firefox and Chrome are both working on implementing "key pinning" (and participating in the standardization process for it) which won't "free us from the CA system" but will at least ameliorate one of the worst aspects which is that any two-bit CA anywhere in the world can issue a certificate for any site, anywhere. The IETF is working on standardizing "Certificate Transparency", Chrome is implementing it, and at least one CA is participating. This again doesn't free us from the CA system, but it does make the public certificates auditable so that mis-issuance could theoretically be detected. > Or I hack the router you > use to access the internet... all of the notaries you try to talk to I > redirect to me. I say every site is > valid regardless if it is or not. How is this more secure? I haven't looked at the technical details of convergence but presumably it requires a secure connection to the notary or better that the notary responses are signed by the notary. If the communication with the notary is unreliable then it's no help at all. The main practical problems with convergence are that it introduces a dependency on traffic to a 3rd party which hurts privacy, reliability, and performance. These are similar to the problems we have today with OCSP revocation checking. -Dan Veditz _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
