Duane wrote:
I'm kinda surprised you haven't made more noise about this when you
made mention previously about some CAs offering snooping services to
govt's and being a conflict of interest.
:-) Well, it is because we are making some
forward progress. The fact that the system
has some gaping holes in it needs to be
balanced alongside the fact that it *is* the
system, and AFAICS, it is the only hope for
dealing with phishing.
What's taken me a long time to discover is
that there are more people who actually
do agree with the flaws than I can see. So,
in a sense, let's forget the job of needing
to hammer on the flaws, and start thinking
of the fixes ... in such a way that they improve
the product.
I would be surprised if phishers couldn't walk
through the major CA's practices right now like
chocolate through a goose... There's a huge
So on one hand you are suggesting we foist problems onto CAs and on
the other you show how that won't stop problems. So how is it forcing
problems onto CAs is going to fix anything? :)
If I had a wife she would agree with you :)
Here's the thing. If you've been following
the phishing adventure for the last 2 years,
as I have, after a while you get to understand
the measure of it. And where it's heading....
We do have the dilemma that phishing is
heading in a certain direction: to more acute
and direct attacks on the browser's crypto
system. Right now it bypasses it totally, so
we don't notice.
The Shmoo bug has shown all that in context.
It's drawn a nice line from phishing to HTML
to HTTPS to the user.
So, if you accept that phishing is going to
be forced in the direction of attacking the
CAs to fraudulently acquire certs, what to
do about it?
Well, we have to start protecting the CA's
space and patch. To do that, we have to
create the branded space that the CA can
protect; in order to give the CA what he
needs to protect himself, we must let him
define himself to the users. Ergo, as Bob
pointed out, the original security model.
Once the CA has a space to defend, he can
figure out how to defend it. It might mean
he has to change his business model, or to
change his CPS/CP stuff. Or whatever. But
at least he can do it. At the moment, a CA
cannot defend himself because he isn't
defined. There is no clear definition of what
a CA does ... c.f., the domain v. identity
discussion, cross-borders differences, and
conflicts of interest. But once the branding
is in place, the CA and the market and the
users will create that definition. Which can
then be defended.
If none of that makes sense, think think of
how innoculation works. My current view
is that we have a period during which we
can innoculate the CA system. Do not fight
too hard against a few minor but honest
problems ... because the result will strengthen
the body for the future real battle.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
