On Tue, Apr 14, 2015 at 07:51:24AM -0500, Peter Kurrasch wrote: > So, to paraphrase, the security benefit to CT is on par with posting speed > limits along a highway: if you're going to break the rules, don't get > caught.
I think that's a very bad analogy. The way the *entire* world works is "if you're going to break the rules, it'd be better if you didn't get caught". There are already "speed limit" signs along the PKI highway, it's just that there's no comprehensive record of everyone's speed. The thing is, there's a lot of research in psychology and related fields that the mere *perception* of being watched is enough to change a person's behaviour. Here's a good study to start things off: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1686213/ We examined the effect of an image of a pair of eyes on contributions to an honesty box used to collect money for drinks in a university coffee room. People paid nearly three times as much for their drinks when eyes were displayed rather than a control image. This finding provides the first evidence from a naturalistic setting of the importance of cues of being watched, and hence reputational concerns, on human cooperative behaviour. A PICTURE of eyes was enough to change behaviour. There was no rational reason to believe that the honesty box was *actually* being watched, but it was enough to change behaviour. CT is even better than a picture of a pair of eyes, though. We *will* have a record of every certificate that gets issued, going back over a long period of time. Even if nobody is watching every certificate being issued in real-time, anyone can go back through the history of issued certificates and look for any misissuance they like, and make whatever noise they like about it. There has been significant value in all sorts of ways from the available SSL census data that has been gathered by various parties, and that is pretty much guaranteed to only be a (skewed) sample of all certificate issuance. > And if you do get caught, have a good excuse--although in the > case of CT there is no process for dealing with potential violators. It's not CT's remit to specify the consequences for violation, and even if the trans working group took it into their heads to specify penalties, there is no power to enforce those consequences. The organisations which have the authority to actually do something about misissuance (browser authors and managers of widely-used root stores) will do their own thing in line with their own policies and organisational goals, and no waffling in a CT RFC is going to change that. > If we continue the whitehouse-dot-gov example, suppose such a cert shows > up in the CT logs for an agency such as CNNIC and then a week later it was > revoked. I don't see anyone taking action against that agency. Maybe, maybe not. The nice thing about hypotheticals is that you can assert they'll go any way you like. Staring into my crystal ball, I see that if CNNIC mis-issues a certificate for whitehouse.gov, ISIS will invade Madagascar. Talk about consequences! - Matt -- A friend is someone you can call to help you move. A best friend is someone you can call to help you move a body. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy