Gervase Markham wrote:
Ian G wrote:
That would be incomplete :) What you should say is that
"Gervase thinks GeoTrust certs are not suitable for commerce!"
If you want to be like that, then the correct text is:
"If you put your CC number into here and get ripped off, there's no
possible way you can find the guy who did it."
OK, I'll accept that. So your message for the "good" certs is what?
"If you put your CC number into here and get ripped off,
it might be possible for you to find the guy who did it."
See the dilemma? If you say domain control certs aren't
good enough, what you are saying is that the alternate
*are* good enough. Which means ... you'd better be right!
The average loss from phishing is like $1000-$5000 in
money stolen. Time lost is like hundreds of hours for
an identity theft.
Do you really want to tell people that you know that this
particular cert is good for commerce?
Did you read their paper? They are claiming that the
identity traceability is so unreliable that ... you
can't rely on it.
No, they are claiming that current verification methods are easily
enough spoofed that the identity data places in certs is so unreliable
that... you can't rely on it. Which is true.
Fair point.
However, that does not preclude CAs doing better verification. Whether
they put the results of that into the cert, or just wait for my friendly
policeman to ring them up and ask for it, doesn't really matter.
Um. Which still leaves the question of just who is doing
all these things, and who it is that is sitting in judgement
over these CAs and saying a) they are doing good enough
verification, and b) I'm prepared to bet my users on it.
Not MoFo. They may have lots of lawyers and money, and
lots of gusto and pizazz, but one class action lawsuit and
that will change quick smart. Not Opera, they just take
cash. Not Microsoft, they take a WebTrust and that's it.
See, it's an impossibly high barrier: if any crook can
get a duff cert, it undermines the whole system. But
with 100++ CAs out there, there will always be a loose
system somewhere. So when some SSL cert gets used to
fleece a thousand innocent americans of their hard earnt
credit points then they come and sue *you* for saying
that the cert was good for commerce. Bummer!
So we should wash our hands of the whole issue and say "we're not going
to say anything about security because you might sue us. You're on your
own"?
Nope. We stop standing there and saying we are responsible.
Instead, we say, "we do browsers." And, we also say "CAs
do certs, and here's the CA that's doing the cert today."
"Got a problem, go see that CA."
"We don't provide any guaruntees that the CA is any good."
"Gee, even the CAs don't provide a guaruntee... Not much
point in us doing it."
This is wierd. Lots of commerce gets conducted all
the time over non-protected channels. In fact, a
non-trivial amount of credit card traffic gets shifted
over non-protected channels. Search on google for FORM
and credit card number and you'll find lots of small
merchants.
Yep. And it's not good.
Right. But Mozilla does browsers, it isn't the world's
commerce policeman. The browsers are a tool for users,
not their guardian angel. The tool browses, and it
provides forms. It gets numbers to the other side,
sometimes even securely. What it doesn't say is where
is a good place to do that with.
Are you planning to set up a really big table in your UI
that lists all the CAs and whether they are "commerce
rated" or not?
Yep, just about.
That would make you a super-CA.
What happens if they decide to issue an identity cert
and a domain-control cert, under the same root?
See discussion in .crypto.
Please don't tell me you plan to drop their cert from
your table ;-)
What happens if they convince you that it really is an
identity cert, then wait until your UI is out there in
its glorious millions, and then they switch to domain
control? (Bait and switch, a favourite trick...)
Then we issue a security update either pulling their certs for bad
faith, or changing the bits on it.
Ah. So everyone who is ripped off after that is ...
what? Out of luck? Has a legal action against you?
OK, what is the average half-life of an upgrade? That
is, what is time for half the users to be upgraded
once a security alert goes out?
For Microsoft it's measured in years... For Firefox,
can we do better?
Or, here's the alternate. An injunction is filed in
court preventing you from doing these things.
(Quick note, injunctions are normally granted. If
you win the case, years later..., then you can argue
for damages. At least that's how it works in common
law.)
Now your product is going out there ripping off even
more people and the judge is still reading the reams
of paperwork the dodgy CA has landed on his desk.
If you just printed out:
"GeoTrust issued this cert to that domain"
it would solve, completely, once and for all, everyone
of those above issues.
Apart from the one where the user says "so, can I put my credit card
into this page or not?"
Right. That ain't your problem. You are not an
authority on that question. Neither is MoFo. You
haven't even got standing in that question, to use
the legal terminology. Here are the ones who might
have some authority on that question:
merchant
user
CA
credit card issuer
bank
You and MoFo aren't on the list. You should not answer
that question.
You are however an authority on browsers. You might
be an authority on certificates. And SSL. You could
stand in court or stand in front of destitute grandma
and say:
"GeoTrust issued this cert to that domain"
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
