Simon Anderson wrote:
On Wed, 02 Feb 2005 00:17:01 +0000, Ian G wrote:
MF is not really capable of judging whether one
CA or another is conducting abuses. That's one
known bug in the model: all CAs are equal, and
the consumer is not given a display of the CA so
as to use her own knowledge and preferences to
make a judgement (c.f., branding ideas). Regardless,
MF will never be able to work out whether a CA is
good or bad, and its current policy is to shifts that
burden of CA vetting over to WebTrust and equivalents.
I'll assume that you're not being obtuse. This is the most well known
issue from Verisign;
http://www.pcworld.com/news/article/0,aid,45284,00.asp
This case allows anyone to make a value judgement on Verisign's services,
MF included. Please don't pretend otherwise.
The facts outlined in that article are not an
awful lot to hang ones hat on. The made a
mistake, once, and it was 4.9 years ago. So,
it's not a current issue, assuming the cert
has expired.
And in that time, has this cert (or certs) ever
surfaced to cause any damage or cause any
infections or viruses or stolen CCs?
Systems fail. That's why we call them systems,
not religions. Verisign are allowed to make
the odd mistake, which can be considered to
be "proving by exception..." If they made a
pattern of it we'd have much more to worry
about. If they had abused their position, that
would be an issue.
But dishing out the odd false cert? Anyone
who didn't see that coming doesn't understand
systems and corporations and ... well, life.
Verisign's inclusion in mainstream browsers should have been at least
reviewed (if not removed) after such an incident, yet this did not occur.
Right. This is a reflection of the general
failure of governance in the CA and Cert
market. MF don't take the rub for that,
they've started up their program, and what
they want to hear about is current issues.
Why is unearned trust of Verisign given by MF despite such incidents,
while a Community Authority is assumed by MF in the first instance to be
untrustworthy? MF forms a value judgement based on a comparison of market
capitalisation between the two organisations, nothing more.
Er, no. That's manifestly wrong. They look
at the WebTrust. That's their metric.
And even if it wasn't, Verisign has a track
record of no failures in 10 years or so. CAcert
has a track record of ... months?
(Now, the reason why there are no failures
is because ... they don't count things like
phishing, which are spoofs that bypass the
certs. But, that isn't Verisign's fault, and
they are quite happily in accord with me on
this point - they are hamstrung in that they
cannot get the browser manufacturers to
listen. So I think they've sort of given up
and gone back to selling nonsense to banks.)
... The browser is at the coal face of a user's
security.
Well I agree with that. That's why phishing sucks.
(Did Verisign get their WebTrust renewed? I wrote WebTrust about the
conflict of interest but they never responded.)
The double standard expressed by David here epitomises the Mozilla
Foundation's attitude throughout the eighteen months of discussion on
this topic.
David has found a compromise that suits for now. It's not perfect, but
nobody can make the world perfect.
Ah, the creed of the apathetic and the lethargic.
I imagine David is working on it in his spare time,
he's not being paid for it so we can't expect too
much. Unless you're referring to me, in which
case I'd invite you to browse http://iang.org/ssl/
and come back and discuss creeds.
MF's approach is this;
"Verisign paid for Webtrust, so they will be included no matter how many
times their security is breached or their processes are shown to be
insecure. CA-Cert in contrast, cannot be included without paying for
WebTrust." I think that you will consider this an oversimplification but I
contend that this is the root of the matter, based on eighteen months
of watching MF prevaricate.
MF takes WebTrust. Yes it costs. So what? Your point is
that people who can't afford to pay the piper should get
a free ride? Perhaps we should go to the government and
ask for a handout?
You would be much better off concentrating on why a
costly model like WebTrust doesn't serve the browser
user ... rather than throwing out hand-me-down socialistic
misconceptions about The Man and his evil Dollar.
I think that the CA-Cert people should ask themselves why they want to
have their cert included in MF browsers. If they're interested in secure
solutions they would do well to stay away from a browser so willing to
prostitute itself to commercial entities at the expense of true security.
There isn't much choice. Simple market economics.
Mozilla's the #2 game in town, and at least they have
a mailing list where you can get shouted down. I
haven't even been able to track down who the Konqueror
people are (although they do have a security person,
albeit highly secure and hidden).
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
