Can I correctly infer that you don't feel any safer submitting your social security number to a site using a VeriSign Class 3 certificate relative to a 'domain-control' only certificate?
No, you can't necessarily infer that :-) Subjectively I personally would feel safer submitting sensitive information to a site using a "claimed identity" certificate than I would if the same site had only a "control of domain" certificate, assuming that the certs are from the same overall CA provider and that the UI made me aware of the difference. This is for two reasons:
First, per the argument in my prior message, for a given CA the risk associated with the "claimed identity" certificate is certainly not greater than with the "control of domain" cert, and could possibly be less.
Second, if the site were an e-commerce or financial services site or a site run by a substantial organization then I would expect them to spend the extra money to get the more expensive cert, given that the incremental cost is probably negligible in comparison to the financial resources available to them or potentially available to them, and I'd be suspicious if they tried to save money by getting a less expensive cert.
In effect using the more expensive cert acts as a signalling mechanism: This organization is willing to spend money on their site, and hence is serious about doing business with me. It's not the only such signalling mechanism: Having a clean and professional site design, not having typos or confusing language on the site, having a "deep" site (in terms of lots of content about the organization's products and services, and how it does business), not having typos or ungrammatical sentences in the site content -- all of these signal to me and others that the organization has spent time and money on the site and hence is serious about providing a quality service.
Now clearly most of this has nothing to do with security per se, and of course phishing sites could simply rip off all the content of existing sites and also get "claimed identity" certs of their own. But this does raise the bar for phishers a little bit, and seeing these sorts of signals does make me (and I suspect others) subjectively feel a little better.
<digression>
As a side note, IMO there's a fascinating analogy here to the hypothesized role of signalling mechanisms in the context of biological evolution. The basic idea is that when evaluating potential mates animals use physical attributes like physical size, the condition of feathers and fur, etc., as signals of general health, freedom from parasites, etc. -- all the things that might maximise reproductive success. The animals being thus evaluated are "motivated" to present false signals ("motivated" in the sense that genes improving an animal's ability to present false signals would be selected for), which in turn "motivates" (in the sense defined above) the animals doing the evaluation to get better at deciding exactly which signals to look for.
The hypothesized conclusion from all of this is that the "best" signals (i.e., the ones that would be selected for in the course of interactions between many generations of evaluators and evaluatees) would be those that are most difficult to fake. This is one evolutionary explanation for why some animals have extreme physical attributes (large antlers, long and showy feathers, etc.) that would otherwise seem detrimental to them: it's exactly because such attributes require large amounts of energy and time to maintain that they are good signals -- an unhealthy animal would be unable to fake them.
I will leave the application of this theory to produce newer and more effective anti-phishing strategies as a exercise for any interested readers :-)
</digression>
Back to my subjective feeling of increased safety due to use of identity certs: The problem is that subjectivity is not necessarily what people want in a policy. If everyone involved were happy with me (or someone else) saying "Yes, I subjectively feel that it's safe to include CA Foo in the CA cert list" or "No, I feel queasy about having CA Bar in the list, so I'll reject them", then we wouldn't need a policy at all.
That's certainly a legitimate approach; it's the approach taken in many areas of Mozilla development, where module owners make subjective decisions every day ("accept patch A, reject patch B") in the absence of written policies. But when it comes to the question of which CAs are included in Firefox/Thunderbird/etc. and which are not, people don't seem to want to leave this to a subjective decision.
(Of course, that may just be because they don't trust me to make those decisions. In that case anyone else is free to come forward and propose themselves to the MF as the owner of these decisions, and if that's acceptable to the MF I'll gladly stand aside -- it's not as if it's my life goal to be the CA gatekeeper for the Mozilla project.)
[re justifications for "low assurance" / "high assurance" distinctions]
I'd say that in the early days the US lawyers working in industry (legal and CA believed that such a distinction was paramount for a robust PKI.
I acknowledge your point here; I know that people spent lots of time debating these issues. However I think the key word in your sentence is "lawyers"; I suspect (and to some extent recall) that a lot of the discussions and "research" work were around how PKI was going to function from a legal sense, and in particular how things like digital signatures were going to interact with existing laws and procedures governing contracts, etc. In this context distinctions like "low assurance" vs. "high assurance" make sense, in the same way that the legal distinctions between verbal contracts and written contracts make sense. However this legal analysis is not the same as an security analysis dealing with actual threats, risks, cost/benefit tradeoffs, and so on, and I'm not aware to what extent anyone did this sort of economic analysis in addition to the legal analyses.
Do you really believe that it is as easy to get an 'identity cert' as it is to get a 'domain control' cert?
No, I don't. That's why I wrote "if it were trivially easy" and not "it is trivially easy".
Please understand that I'm not trying to discount CAs and the amount of work they put into providing a quality service. My point was simply that just because a CA provides two (or more) different cert offerings doesn't mean that you can assume a priori (i.e., in the absence of other evidence) that there is any significant improvement in security (i.e., significant reduction of risk) associated with the "higher assurance" service. This is something that has to be demonstrated, and doing so is not necessarily trivial.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
