> Frank Hecker wrote: >> Actually, my domain is "hecker.org", not "hecker.com"; I missed >> registering hecker.com when I had the chance. If you receive email from >> [EMAIL PROTECTED] then it is not me :-) > > And I might add that if you actually got a message from > "[EMAIL PROTECTED]" and replied to it, I suspect that you would be able > to relatively quickly determine that it was not me on the other end.
Good example :) As it happens, I just recently had a conversation with someone who kept asking me question X which made no sense. Eventually, it twigged that he might be thinking of the other person who goes by the name of iang, and it was indeed a case of mistaken identity! But, we did still have a long and engaging conversation about the security field nonetheless. (for those of you unfamiliar, there is a name clash with the four letters "iang" in this field. The other guy is Ian Goldberg who made a name for himself with Dave Wagner as bored students finding ways to crack the security of Netscape's early SSL, once by crunching 40 bit crypto and another time by discovering the RNG was seeded by the time...) >> Where acceptance of self-signed certs is much less justifiable IMO is >> with regard to email from banks, e-commerce sites, etc., both because >> such correspondence is impersonal and formulaic (and hence easily faked) >> and because it's mainly a one-way conversation (e.g., bank to you) with >> no ongoing discussion from which the user can build up knowledge of the >> person they're corresponding with. > > There's one more difference I forgot to add: in personal email there is > typically minimal "value" associated with any single message; the value > (such as it is) is rather associated more with the overall conversation > occuring over multiple emails. On the other hand in business > correspondence a single message can represent significant value, both to > the entities involved in the correspondence and to potential attackers. This effect - the value of a single message - is actually growing in a perverse sense due to the risk of "discovery". And, to bring in the other thread, the other iang is working on a system to reduce this threat. The notion there is to create a plausibly deniable message for use in chat. I think it's an interesting experiment, but it will not yield a complete solution, as the biggest danger is when fingered and the solution does not take into account the human / legal element. Dragging back to S/MIME, it has a fundamental confusion as to whether the digsig is a message authentication device or whether it is some sort of legal signature. It should really be one or the other, OpenPGP's cleartext signature makes this distinction much better. I'm unsure what to suggest there, but it does seem for idle email, users should not be signing it with a digsig if that has any legal meaning. Unfortunately, this challenges the key distro protocol so there is some whiteboarding to be done. > One enduring problem I think is that traditional PKI was/is driven so > much by the "one valuable message" model, where the goal was perceived > as both protecting that one message (an invoice, a purchase order, a > confidential business document, whatever) and embedding handling of that > one message within a legal framework associated with formal business and > governmental matters. Perhaps. IMHO, it completely fails if that was the that direction. And, dangerously so, and to the credit of the world of users out there, PKI has not been adopted widely for "high value messages" because it fails to create anywhere near enough framework to support that notion. (People interested in protecting messages of value should look at the logic in my paper here: http://iang.org/papers/ricardian_contract.html which describes how to link legal processes into Internet contract approaches.) (Declaration: Messages of Value is my field, being what we call financial cryptography.) > This is almost totally at odds with the nature and requirements of > personal email, and thus I understand the concerns expressed by Ian and > others regarding the appropriateness of current S/MIME practice for > personal email. For example, as I understand Ian he believes that > encryption is much more important than signing for personal email. I See above. The meaning of signatures on email might be construed as having legal meaning. I don't think that's really useful or desirable for email. I think a leaf can be taken from the security alert world there - security alerts are often pgp-cleartext signed. For that particular use, people have a well defined reason and meaning. Fine. But for ordinary correspondance, the default should be "no signing." This applies as much to the corporate world as well. > understand this point of view: people want encryption of email messages > for the same reason they send personal letters in envelopes, namely to > discourage casual eavesdropping, while signing is much less important, > both because people have other less formal ways to "authenticate" their > correspondents and because they perceive the threat of a MITM attack as > of miminal relevance. I think this is why it is so utterly important to create a set of goals and target users. If Mozilla is concerned about the "average user" and that doesn't include corporate users, then we can easily figure out how to approach this problem. OTOH, if Mozilla were to target corporate users, and not non-corporate users, then we would go another way. It's when people want a product that is all things to all people that we end up with conflicting security goals, and products that don't work for either group. In security, it's very important to get close to the users, and understand that small differences matter. iang _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
