> -----Original Message-----
> From: Yuji Shinozaki [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 23, 2000 11:16 PM
> Hey, maybe we DO need a sanctioning body, but then how do you decide to
> trust them? And how do you get the existing CA's to play ball?
We live and work with myriad trust relationships anyway. When I drop a
letter in the mailbox, I trust USPS to pick it up and deliver it correctly
and in a timely fashion, and I'm considerably inconvenienced on the rare
occasions that doesn't happen. When I drive my car, I trust other drivers
to (more or less - mostly less, around here) obey traffic laws; when they
don't, my property and health are at risk. When I buy something in a store
with a credit card, I trust the clerk not to save my card information and
use it fraudulently, and the store trusts the card issuer to transfer the
funds. I trust my partner not to take all the money out of our joint
accounts and run to some tropical paradise that lacks extradition treaties.
I trust the airlines not to lose my luggage - despite repeated evidence to
the contrary. Trusting CAs is not one of my riskier positions.
It's a matter of evaluating the risk of trusting CAs and my browser vendor's
choice of canned root certificates (which I could intervene in, but I
haven't yet) under the rubric of my threat model. To date I haven't
detected any exposure from that trust, and the probability of such exposure
seems relatively small. On the other hand, I have been exposed by poor
practices by certificate holders (namely on-line vendors) that have nothing
to do with the CAs who signed their certificates. If I chose to restrict my
use of SSL, it would be because of sloppy practices by SSL users, not
because of questionable CA behavior.
(The same goes for trusting expired or revoked certificates. I have checks
for expired and revoked certs turned on in my user agents, because they're
cheap and don't require any extra effort from me. I avoid sites with
expired certs - I don't think I've ever run into a revoked one - because
they're a sign of sloppiness, but they're not a significant risk under my
threat model.)
A CA oversight or governing body might marginally increase safety, but there
are much bigger risks that ought to be addressed first.
Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
