On Tue, Apr 14, 2015 at 07:51:24AM -0500, Peter Kurrasch wrote:
> So, to paraphrase, the security benefit to CT is on par with posting speed
> limits along a highway: if you're going to break the rules, don't get
> caught.
I think that's a very bad analogy. The way the *entire* world works is "if
you're going to break the rules, it'd be better if you didn't get caught".
There are already "speed limit" signs along the PKI highway, it's just that
there's no comprehensive record of everyone's speed.
The thing is, there's a lot of research in psychology and related fields
that the mere *perception* of being watched is enough to change a person's
behaviour. Here's a good study to start things off:
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1686213/
We examined the effect of an image of a pair of eyes on contributions to
an honesty box used to collect money for drinks in a university coffee
room. People paid nearly three times as much for their drinks when eyes
were displayed rather than a control image. This finding provides the
first evidence from a naturalistic setting of the importance of cues of
being watched, and hence reputational concerns, on human cooperative
behaviour.
A PICTURE of eyes was enough to change behaviour. There was no rational
reason to believe that the honesty box was *actually* being watched, but
it was enough to change behaviour.
CT is even better than a picture of a pair of eyes, though. We *will* have
a record of every certificate that gets issued, going back over a long
period of time. Even if nobody is watching every certificate being issued
in real-time, anyone can go back through the history of issued certificates
and look for any misissuance they like, and make whatever noise they like
about it. There has been significant value in all sorts of ways from the
available SSL census data that has been gathered by various parties, and
that is pretty much guaranteed to only be a (skewed) sample of all
certificate issuance.
> And if you do get caught, have a good excuse--although in the
> case of CT there is no process for dealing with potential violators.
It's not CT's remit to specify the consequences for violation, and even if
the trans working group took it into their heads to specify penalties, there
is no power to enforce those consequences. The organisations which have
the authority to actually do something about misissuance (browser authors
and managers of widely-used root stores) will do their own thing in line
with their own policies and organisational goals, and no waffling in a CT
RFC is going to change that.
> If we continue the whitehouse-dot-gov example, suppose such a cert shows
> up in the CT logs for an agency such as CNNIC and then a week later it was
> revoked. I don't see anyone taking action against that agency.
Maybe, maybe not. The nice thing about hypotheticals is that you can assert
they'll go any way you like. Staring into my crystal ball, I see that if
CNNIC mis-issues a certificate for whitehouse.gov, ISIS will invade
Madagascar. Talk about consequences!
- Matt
--
A friend is someone you can call to help you move. A best friend is someone
you can call to help you move a body.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
