On Thursday 19 May 2005 18:28, Ram A Moskovitz wrote: > On 5/18/05, Duane <[EMAIL PROTECTED]> wrote: > > With the intercept and gag laws in the US as they are, Verisign or any > > other certificate authority can be compelled to issue duplicate > > certificates, > > This may be true, I'm not sure that it is. I suppose that a court > order is generally compelling so this doesn't sound impossible. On the > other hand if there is an easier way to do it that is presumably a > greater concern. How hard would be be to get a CA with an easier > authentication process to issue a cert for any domain name that you > wish that would be trusted by Firefox, IE, and Opera?
It depends on who is asking for the certificate. If it is the US government then it is probably easier to ask Verisign. If it is a scammer it is probably easier to ask a small control-of- domain issuer. It all varies, depending. The history of telecoms and phone tracing on a large scale indicates that the largest players were the ones who were targeted first and fell hardest. > In any case I > think you would go along with any legitimate request made by a > legitimate government authority; I would. I think Duane is in Australia. Are you saying that he should be happy with any legitimate request from the US government? Or are you suggesting that the Australian Federal Police could serve a warrant to Verisign in the US to issue some certs? If the answer is yes, do we include the "bad" countries on the list? Cuba? Iran? Iraq? Do we have a list of legitimate governments? I think as a first step, if MoFo is planning to accept intercepts on its products by legitimate process, then it would be only fair to disclose which jurisdictions and processes are acceptable, if only to help those authorities serve the CAs with the paperwork. (None of us are speaking for MoFo here, but if the position of any CAs is that they will take service from legitimate governments, then it behoves to let those who might be targeted know that there are limits.) > > add on to this the fact that browsers don't warn about > > fingerprints on certificates changing > > There is some truth / value here but there's a usability issue too - > hopefully a balance can be found. Perhaps for a user who participates > in high value or high sensitivty transactions this is worth doing; for > someone spending $27 online, the intrusion anytime the site renews > it's certificate or changes CA providers or website hosters (if they > use that route) this is probably overkill and will result in further > training the user to say OK to anything that pops up. The only technologies that let you spend $27 online without you risking more are things like digital cash. Most all systems in the SSL / HTTPS world do their transactions with identity and account information, and the value of that information is generally well in excess of the transaction at that instance. Which means that that the proper protection equation needs to cover all the information, and the transaction itself is probably not that important. > The right approach here in my opinion is to understand that not every > user has the same level of savvy nor the same level of needs. When > installing a browser, OS, or any other app a brief interview of the > user might be a very nice approach. In the case of a web browser the > two obvious questions are: HCI is an issue. My thinking is that the sort of information bar you posted under "UI training" is the way to go for a lot of these things. I believe the popup warning dialog to be dead in the water at this stage - although recognise that this is not a widely held view. See the recent article on 300 users, and also the HCI/UI papers posted here a while back. Oh, and here's another one: http://www.educatedguesswork.org/movabletype/archives/2005/05/what_can_the_ev.html Those are Eric Rescorla's slides from a talk he gave recently where he indicated that the dialog isn't helping, among other things. I'd recommend the slides to you all; Eric knows a lot about this field having written the book. (The rest I agree with in principle.) iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
