On 5/1/09 22:16, Nelson B Bolyard wrote:
Ian G wrote, On 2009-01-05 11:28:
We know as a more or less accepted fact that the design of secure
browsing was for Credit Cards,
I believe that you've accepted that as fact. But PR and marketing is not
design. It was designed for MUCH more than mere credit cards.
So, perhaps one group of people said one thing, another said another
thing. First question is, what's our reference here? What standard,
designed for whom? Can we pick one and stick to it?
The original question was, can we set up different price points and/or
security models for certs: IV, OV, DV, AV, EV, etc.
As we can't even agree on who these things are designed to protect, and
as they were never asked, it seems that there can be no objection to
variations in them?
(Protecting everyone from everything is a non-starter.)
and the benefit there is solely for CC vendors, not consumers, because
the consumers are already covered by the $50 liability limit. They never
had any real concern whatsoever that anyone was reading their cc
numbers.)
Only in the USA is that even close to true.
Well, to some extent, only the USA market was important in the early
design of the *commerce* parts of the web.
Also, IIRC, it was true in Australia and Britain. In Europe it wasn't
such a big issue because credit cards weren't that important. (Even
today, they aren't as important, as direct debit is far more important,
which has a different liability arrangement, and wasn't relevant for the
original market. One could argue they are now relevant today, but that
would just add gasoline to the fire.)
And even in the USA, the
damage caused by a stolen credit card is far broader than whatever
monetary value the thief got with the stolen number.
That's the point. It was to the benefit of others than consumers. Or
if it was to the benefity of the consumers, what was it that was on
offer? Refund of the $50?
But that's somewhat
moot because CCs are NOT and never were the sole reason for the design
of SSL. (Did you read what I previously wrote about SSL vs SET?)
OK, and that somewhat backs up my point. We are talking about consumers
here. Consumers were told what they needed it for. They needed it for
credit cards, right? That's what they were told, way back when.
Now they are being told the need EV for online commerce.
The point being that the user is and was never consulted in this
conversation. Which is why there is no feedback from the market. Which
is why we can do anything we like, and then create the user message. Or?
E.g., these messages from a couple of well known security commentators:
http://news.cnet.com/8301-1009_3-10129693-83.html
==========================
In an interview on Tuesday morning, cryptography expert Bruce Schneier
praised the research but downplayed the real-world consequences of the
findings.
"SSL protects data in transit but the problem isn't eavesdropping on the
transmission. Someone can steal the credit card on some server
somewhere. The real risk is data in storage. SSL protects against the
wrong problem," he said.
"This is good work, great cryptography. I love the research, but this
doesn't matter a whit," Schneier added. "There are half a dozen ways to
forge certificates and nobody checks them anyway."
Paul Kocher, president of Cryptography Research and an architect of the
SSL 3.0 protocol, said the exploit highlights the need for a new
universal hash function "that everyone is comfortable with."
"The paper is not a surprise, but at the same time it's the crispest
demonstration for why it's necessary to remove this broken algorithm
everywhere it is being used," he said, before adding "there are bigger
things to worry about, like browser bugs and operating security bugs."
===========================
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto