On Thursday 12 May 2005 06:19, Duane wrote: > Actually the funniest thing was said the other day, Mark Shuttleworth > came out and said the root certificate for Thawte was kept in his > underpants draw for the first 2 years of operation. Needless to say the > audience was in stitchs over that one...
I must be really boring, I don't find that odd at all. Where would you keep the root cert? You surely don't believe all those stories about m of n copies distributed in hardened bunkers... A CA root cert is no big deal. If it gets lost, just mint another one and let everyone know you lost it and to watch out for it. Chances are nobody will try and do anything with it, and after a while, the expiry date will pass. As long as there is no active attack scenario on CAs there is practically no risk of any cert being misused, be it root cert or any of the Shmoo or Microsoft dodgy certs. Concentrate on business, and use paper bags to avoid hyperventilation. > As Gerv points out (as have others), currently there are no minimums and > commercial CAs (not necessarily security people) with the intent of > increasing their own market share to the detriment of others (since SSL > has been such a huge success and all), I'm just not seeing altruism from > anyone here but Gerv, yourself and the mozilla foundation. Well, I have to agree with ... everyone here :) The essence of the game is to get SSL and the like protection to the users. This does not happen if the CAs can't make any money; either the CAs have to be removed or we have to find a way to make them some money, or they have to do it for free. Economics is not really negotiable at the physics level. Altruism doesn't really cut it. It is too slippery and subject to perversion at the hands of those who are smarter. This is why I occasionally stress that Mozilla needs to think about their goals - if they have strong goals about what and why they exist, this overcomes any weak wristed altruism and defends them from attack. So far, the goal appears to be to deliver good tools to the average user. But this is under challenge; specifically, the security people here have interest in the technical user who appreciates hard core security, not the average user. This debate needs to be aired one day. > > As I've said before, I don't think use of certs in general and SSL in > > particular should be artificially constrained to fit the perceived > > requirements of the Internet e-commerce market. To get back to Gerv's > > draft paper, I think his discussion is consistent with that approach: > > He's proposing leaving the existing browser CA/SSL model and UI in place > > for legacy CAs and certs, and basically creating an extension to the > > Not quite, unknown CAs (he doesn't stipulate although I assume, root > certs not imported) and self signed certs won't display the lock, which > is a fairly fundamental change, and judging by the stats with the link > Ian posted, unknown CAs issue more publicly accessible SSL certificates > then Verisign does. The most important thing that the browser UI can do is to promote more SSL. If twice as many people use SSL but it has a slight vulerability, that's much better than perfect system that is only used by half as many. So, it would be ok for the lock not to be shown as long as the browser does not scare the user away or waste their time on popups, IMHO. If self-signed certs could be used exactly as HTTP, then we could replace HTTP with self-signed certs and everyone wins. Even the CAs who now know who to go and sell certs to. iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
