Hi Ram,
Ram A M wrote:
I don't quite see how you can link these things that
you talk of - CRL/OCSP - to brand equity or reputation,
simply because a) CAs have no branding way to reach
the relying parties (users) and thus b) a very limited
way to convince purchasing parties (sites) of the need
to pay attention.
The fact is that some if not all CAs are constantly engaged with large
companies, platform providers, government agencies, and other concerned
entities who have an interest in raising the bar for one reason or
another.
Is that for real? Are any of these CAs talking
to platform providers about fixing the holes in
the browsers? If I was a CA I'd be panicing by
now, because CAs are obvious targets when it
comes to phishing, and a class action jury isn't
necessarily going to follow all the ins and outs
of the CPS/CP and all that stuff.
Additionally a CA who is commited to a long term business
based on trust is likely to do things to try and enable feedback loops
to align with competition for trust. You won't find stronger
back-office advocates for raising the bar than a commited CA. VeriSign
puts a lot of money and resources into maintaining its operations and
brand as trusted - that's no accident.
I'd suggest you avoid using the word 'trust.' It
will cause problems when someone calls you on it.
Better to be very clear what it is you are providing
to a relying party. Even Verisign knows that now,
check their logo.
This isn't the CAs' fault, and every
CA I have ever talked to understands that they are
powerless to develop their brand and thus their features
of quality of service until the browsers play their part.
I don't think our product marketing guys would agree with that.
OK! Ask them if they would like to reach out to the
users of browsers? I'm curious what reason they would
give for not wanting that. I'd love to learn what
their real insiders' view of the brand is, aside from
the normal "our brand is our asset and we protect it
strongly blah blah..."
But until that happens, any talk about CA brand is just
hypeware as far as I can see.
I certainly agree that the end user is not very well empowered but
market research has shown consistently over the years that VeriSign is
a trusted brand on the internet, more so than some of the largest real
world brands.
! Well, there you go. As VeriSign has no way to
reach ordinary users in the operations of its product,
I'm not sure what the market research would test.
(This point comes out in the TrustBar paper where they
tested the brand recognition, and even Verisign flunked
the test.)
I love TrustBar and have a tremendous amount of respect for the work
Amir and co. have done. I think they've drawn some good conclusions and
improved the safety of their 'customers.' None the less I don't agree
with that conclusion.
Sure, well, it was only a small test, and no doubt if
Verisign were to employ an independent firm to repeat
the test, some different results might occur.
So, I'd suspect that brand and reputation are not useful
reasons behind CRL/OCSP work, as yet. It may have a
strategic future, but that's for the futuroligists.
I agree that in the grey area of "useful" it is not as useful as it
will be "as yet." Strategy is all about planning to reach your goals.
As MoFo has a goal of making the user safer the use of strategy is
appropriate; I suppose this is a futurologistic debate :p
It is, and I'm somewhat surprised that nobody's called
me on it before ;) This is a very strategic debate, it's
about what happens in the next wave of phishing, where
CAs have to face threats. With any luck there will be
some defences in place. If it were to start today, I'd
think we'd have big problems.
Of course, we have fraud out there, that's what the
revocations are intended to stop. So it is a simple
matter of measuring how much fraud is out there, then
working backwards from that to work out how many fraud
transactions are blocked by the revocations that actually
get through to the relying parties.
Yep. I agree that lower latency of revocation increases value such the
CRLs that are updated more frequently or OCSP responses that reflect
more current status are useful from a practical perspective.
Sure, once we have some basic figures on how much
fraud these things stop, one can look at the benefit
of tuning. Until those figures are in, however, I
wouldn't advise too much tuning, that would be
premature optimisation.
Nothing's perfect, we will see a failure rate in there,
where something didn't work out and a fraud got through.
It's probably a benefit of it can reach 50% savings.
If it was only 10% savings I'd be skeptical of its value,
and if it was 90% it would be miraculous.
But somewhere between those numbers would be grand, this
would be a solid working number that said to Mozilla,
yes, we can hang a hat on this. We can say that the
attention paid to CRLs is definately something to bring
to our users in a positive discriminatory fashion.
I try hard to recognize that I have a CA hat in my closet. I'll say
that with or without my hat I want to see software providers innovate
rather than react. One of the reasons I value this debate in nmp* is
that I think through debate we can reach consensus on improvements,
hopefully proactive improvements even if they are imperfect. I assume
that's more or less universal in npmc & npms.
That all would be nice. Right now we are in a
reaction game though. It would be nice for Mozilla
to turn around and say "let's do some innovation on
security and browsing" but that isn't where we are
at. Right now, it's a catch up game - catching up
with the phishing.
This has the benefit of having a really clear target.
Fix phishing. Doesn't get much clearer than that.
But it does mean that the market is moving and Mozilla
has a clear choice - react now as it sees it move, or
react too late, and then pay the penalty. The other
thing that is very clear is that the next milestone
is "this summer" when Microsoft releases its anti-
phishing release of IE. Better have a good story
to tell by then, just in case Microsoft surprise us
all and get it right.
I think it's better to help craft the future by making improvements
today. The difference is the driver, the good guys or the bad. The way
I see it the good guys outnumber the bad by orders of magnituted and
therefor small practical improvements by the good guys (in parallel)
makes for more rapid change towards their goal.
Well, sure, we can't possibly help fix the losses
of the past. I'm sort of hoping that we reach
stability in secure browsing losses of around a
billion per year, but we won't know for a while
whether losses are continuing to climb.
And the good news is that the good changes that
have been suggested hurt no-one and help everyone.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
