Eddy Nigg wrote:
On 12/02/2008 08:04 PM, Ian G:
Eddy Nigg wrote:
In case of Skype they are the software vendor and control the
software, the issuing instance and also the user
Right, they do everything. One advantage for today: in the case of Skype
we (the user) only have to pay for one organisation. In the case of CAs,
we have to pay for four organisations.
Well, not sure where the payment comes in, but I don't pay personally
for either software, not for certificates and certainly not for my own
private keys. Now where does the "pay" come in?
To clarify, from economics: cost (perhaps better word than pay) is
generated by all activities, and needs to show benefits, or elsewise the
free market will eventually bypass it. So, the cost of the four
organisations still exist, and the fact that you cannot identify a
payment to them doesn't mean that you don't pay, by one means or
another. (The particular branch of economics is called "transaction
costs".)
In the case of Skype, they just use the tools relatively wisely to solve
the problems they need to solve. Their particular design eliminates many
of the things that PKI does, but that is simply because their design
meets the security needs and addresses the threat model for their given
application and audience.
Meets the needs of whom?
Applications and security theory: security doesn't sell. The way to
apply security, as this school has it, is to build it into another
product that generates real benefits to the market.
Skype provided VoIP to the masses. And it was secure. And then it
added chat. And it was secure.
That meets the needs of the users.
The observation here perhaps is that the security wonks are so far away
from the apps field that they cannot easily work out what's what. The
more you know about modular multiplication, the less about users.
(Known issue, specialisation is a trap.)
If there is anything "dictatorial" it is the claim that there is only
one true security model;
Why do you think so many are using PKI? Because it's dictated or because
it solves a problem? I didn't invent it, but it serves the purpose
extremely well, hence I'm using it. Nobody forced me to, it's my own
conclusion.
Sure, but you are biased, as am I and everyone on this list. We are all
engaged in the business in one way or another. We all have an incentive
to "eat our own dogfood" and we all have trouble lifting our heads above
the crowd and seeing which way it's really going.
As to why PKI is used, and is in place, that is a controversial subject.
Suffice to say, it is there, in place, so the task is to improve its
delivery of security to users. Because it is in place, not because it
is good.
(When was the last time your security model was updated?)
There are always some smaller moves here and there, however at large no
updating is needed because it works. Or shall I say, the full potential
hasn't been reached yet and PKI will be deployed just about everywhere?
What did the dolphins say? So long, and thanks for all the phish :)
The PKI world pretty much failed to respond to the authentication
failure of phishing. I don't particularly want to rub anyone's face in
it, because I know people here work long and hard on the bugs and code.
But we were there. We all watched, and what did we get? From the PKI
world, nothing more than some green. Any response to phishing -- the
authentication failure of secure browsing -- came from plugins, banks,
regulators, anti-phishing forums, police, practically everyone *but* the
PKI world. Until the PKI world stands up and says, yeah, we blew that
one, now listen, here's what you have to do ... nobody will pay much
attention.
E.g., update the security model. Think back to the revocation
discussion: that was a request to update the security model. Short
story, we couldn't. Mozilla cannot update the PKI security model.
Period, end of story. The conclusion was that it was to be referred to
a committee that we all know in our hearts cannot change it. Hence, the
only revocation for roots possible is via business paths. Literally, a
hack, added over the top.
https://financialcryptography.com/mt/archives/001107.html
The one-organisation model of Skype has an advantage in security. Not
only in cost, but also, *it can update its security model*. The 4-org
model of PKI cannot update its security model (and it costs more).
Against such a combination, I would suggest that the only advantage that
PKI has is if it were so right that it worked. But phishing and other
threats suggest that this is not so.
Ergo, low deployment. The market does not lie about this. You can
preach to the choir all you like in this forum, but out there in the
security departments of companies, in user-land, in crypo-land, in
social-network-land, and every other land, PKI doesn't have many friends.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto