Duane wrote:
I'm kinda surprised you haven't made more noise about this when you made mention previously about some CAs offering snooping services to govt's and being a conflict of interest.
:-) Well, it is because we are making some forward progress. The fact that the system has some gaping holes in it needs to be balanced alongside the fact that it *is* the system, and AFAICS, it is the only hope for dealing with phishing.
What's taken me a long time to discover is that there are more people who actually do agree with the flaws than I can see. So, in a sense, let's forget the job of needing to hammer on the flaws, and start thinking of the fixes ... in such a way that they improve the product.
I would be surprised if phishers couldn't walk through the major CA's practices right now like chocolate through a goose... There's a huge
So on one hand you are suggesting we foist problems onto CAs and on the other you show how that won't stop problems. So how is it forcing problems onto CAs is going to fix anything? :)
If I had a wife she would agree with you :)
Here's the thing. If you've been following the phishing adventure for the last 2 years, as I have, after a while you get to understand the measure of it. And where it's heading....
We do have the dilemma that phishing is heading in a certain direction: to more acute and direct attacks on the browser's crypto system. Right now it bypasses it totally, so we don't notice.
The Shmoo bug has shown all that in context. It's drawn a nice line from phishing to HTML to HTTPS to the user.
So, if you accept that phishing is going to be forced in the direction of attacking the CAs to fraudulently acquire certs, what to do about it?
Well, we have to start protecting the CA's space and patch. To do that, we have to create the branded space that the CA can protect; in order to give the CA what he needs to protect himself, we must let him define himself to the users. Ergo, as Bob pointed out, the original security model.
Once the CA has a space to defend, he can figure out how to defend it. It might mean he has to change his business model, or to change his CPS/CP stuff. Or whatever. But at least he can do it. At the moment, a CA cannot defend himself because he isn't defined. There is no clear definition of what a CA does ... c.f., the domain v. identity discussion, cross-borders differences, and conflicts of interest. But once the branding is in place, the CA and the market and the users will create that definition. Which can then be defended.
If none of that makes sense, think think of how innoculation works. My current view is that we have a period during which we can innoculate the CA system. Do not fight too hard against a few minor but honest problems ... because the result will strengthen the body for the future real battle.
iang
-- News and views on what matters in finance+crypto: http://financialcryptography.com/
_______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto