Re: Certificate / CPS issues
Why are keystore components written by Microsoft peculiarly unworthy of trust? There was a flaw in IE, although it has been fixed, the flaw allows the attackers to delete certificates from the keystore without any user notification. How can trust IE, it there is some very serious flaws like this one? You cannot. Also, have heard about Microsoft's Anti-Trust.
Re: Certificate / CPS issues
Which one? According to Al Arsenault: a number of the entities behind those trusted roots go out of business, or become somebody else, or... A quick quiz, based on the root certs from IEv6 (yes, I know the answer to these questions, but I've been working in the PKI area for over 15 years - how about most people): - who owns the private keys associated with those 3 GTE Cyber Trust root certificates? - what is that company doing that will conclude by June 30? - what about the private keys associated with those four Equifax Secure root certificates? - there are at least 10 trusted root certificates marked signed by DST. What happened to DST? - there are six certificates marked as being from Thawte. Who's Thawte? - what about Xcert?
Re: Certificate / CPS issues
Haren writes: There was a flaw in IE, although it has been fixed ... Since it has been fixed, where's the problem? How can trust IE, it there is some very serious flaws like this one? There are very serious flaws in just about all software; I have not encountered any exceptions outside the very tiny world of rigorously verified software, such as that traditionally used by NASA (not anymore), and even that could still contain a bug. Most commercial software today is riddled with bugs, because people won't buy software that is bug-free, but they will buy software that is feature-rich. So that's what vendors provide. Also, have heard about Microsoft's Anti-Trust. Antitrust refers to prevention of abuse of monopolistic dominance of a market; it has nothing to do with trust in the sense of, say, PKI. Overall, Microsoft is much more trustworthy than average in this latter domain, because it has to be--many eyes are watching, and any loss of reputation could be catastrophic.
Re: Certificate / CPS issues
John writes: This appears to be relatively new. The policies on shipping certificates with the product or making them available via MS updates may be recent. The mechanism of handling them in software has been around for a long time. You can see the certificates in the Internet options in MSIE, and you can add or delete top-level CAs at your discretion. The current versions of MSIE and Windows ship with a truckload of pre-loaded top-level CAs, I'm afraid. It isn't clear, from either the article or his note, how much of it is deployed already. I see dozens of CAs defined in MSIE on XP and even on NT, so I'd say it is well deployed. It is linked, the article says, to Win XP and not to IE -- there are different procedures, it says, for IE under Win 2000, ME and earlier than are proposed (apparently going forward) for XP. XP has an auto update feature; that may be the difference. They are all in the Internet options dialog for configuration, however, as far as I know. It strongly implies that, if there are options to control this, they are (will be?) Windows options, not (specifically) IE options (although IE might well be able to access them). Same thing, almost. Calling up the Internet options from the Configuration Panel in Windows brings up the same dialog as calling them up from MSIE or Outlook Exprss. ... I have no idea whether there is an easily= accessible option that permits turning ask me before installing a cert on, or what information that question provides. It hasn't often happened, but I seem to recall being asked if I wanted to install a new top-level certificate. You can examine the certificate before approving it. And, unless you are in a position to speak authoritatively for Microsoft,... Not anymore.
Re: Certificate / CPS issues
Antitrust refers to prevention of abuse of monopolistic dominance of a market; it has nothing to do with trust in the sense It is factor that contributes to building trust.
RE: Re: Certificate / CPS issues
Antitrust refers to prevention of abuse of monopolistic dominance of a market; it has nothing to do with trust in the sense It is factor that contributes to building trust.
RE: Certificate / CPS issues
I can not simply, they could be fake, and there is no establishment of trust, especially if the keystore component is written by Microsoft. Why are keystore components written by Microsoft peculiarly unworthy of trust? The procedures used to determine the list of certification authorities in Windows XP, Internet Explorer and other Microsoft products are documented at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/news/rootcert.asp -- Christian Huitema
Re: Certificate / CPS issues
Haren writes: Some CA has sold their private key to get out of bankruptcy. Which one?
RE: Certificate / CPS issues
--On Tuesday, 10 June, 2003 09:12 -0700 Christian Huitema [EMAIL PROTECTED] wrote: The procedures used to determine the list of certification authorities in Windows XP, Internet Explorer and other Microsoft products are documented at: http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/news/rootcert.asp Christian, Others may respond differently, but I found one part of this very interesting. The text says, in part: When a user visits a secure Web site (that is, by using HTTPS), reads a secure e-mail (that is, S/MIME), or downloads an ActiveX control that uses a new root certificate, the Windows XP certificate chain verification software checks the appropriate Windows Update location and downloads the necessary root certificate. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes. Suppose a user has sufficient expertise and desire to make individual evaluations of which CA certs to accept and from what CAs. With the earlier model, she could look through the list, adding and deleting root certs according to her preferences and using Microsoft's acceptance of a given cert as a guide (to whatever extent she saw that as appropriate). Now, if I read this correctly, there is no more choice: any cert accepted by Microsoft is automatically trusted by the desktop software and the user can't say, e.g., I know that XYZ Corp, who met Microsoft's criteria, was just bought out by ABC Corp; I believe that ABC are scum and don't want to trust any cert issued by any subsidiary of theirs, even if it was issued pre-merger. Conversely, if I'm part of an enterprise that issues its own certs for internal purposes, it doesn't look as if I can make those certs usable in the XP environment, since such internal certs don't satisfy the broad business value to Microsoft platform customers criterion and hence will not be accepted by Microsoft for use in the specified environment. I hope this is only part of the story, and that user options to accept some certs (even if they are not accepted by Microsoft) and reject others (even if they are accepted by Microsoft) still exist in some usable form. regards, john
Re: Certificate / CPS issues
John writes: Now, if I read this correctly, there is no more choice ... You read incorrectly. Default behavior is not mandatory behavior. Conversely, if I'm part of an enterprise that issues its own certs for internal purposes, it doesn't look as if I can make those certs usable in the XP environment, since such internal certs don't satisfy the broad business value to Microsoft platform customers criterion and hence will not be accepted by Microsoft for use in the specified environment. You read incorrectly, again. You can add any certificates you want to your machines. You just can't get Microsoft to make them publicly available for distribution by MS without convincing them that doing so is worthwhile for Microsoft, which makes perfect sense. I hope this is only part of the story, and that user options to accept some certs (even if they are not accepted by Microsoft) and reject others (even if they are accepted by Microsoft) still exist in some usable form. They do. Look under Internet Options in Internet Explorer.
Re: Certificate / CPS issues
Anthony, I asked Christian for a reason. This appears to be relatively new. It isn't clear, from either the article or his note, how much of it is deployed already.It is linked, the article says, to Win XP and not to IE -- there are different procedures, it says, for IE under Win 2000, ME and earlier than are proposed (apparently going forward) for XP. It strongly implies that, if there are options to control this, they are (will be?) Windows options, not (specifically) IE options (although IE might well be able to access them).I don't have a copy of Win XP here, much less one with this kit installed, so I have no idea whether there is an easily-accessible option that permits turning ask me before installing a cert on, or what information that question provides. The article might lead a reasonable person to believe that those things had been turned off, with no options available to the casual user, in the interest of a good user experience (something I can certainly make a case for, even while preferring that they not do it to me). But, I don't know, which is why I asked. And, unless you are in a position to speak authoritatively for Microsoft,... regards, john --On Wednesday, 11 June, 2003 01:07 +0200 Anthony Atkielski [EMAIL PROTECTED] wrote: John writes: Now, if I read this correctly, there is no more choice ... You read incorrectly. Default behavior is not mandatory behavior. Conversely, if I'm part of an enterprise that issues its own certs for internal purposes, it doesn't look as if I can make those certs usable in the XP environment, since such internal certs don't satisfy the broad business value to Microsoft platform customers criterion and hence will not be accepted by Microsoft for use in the specified environment. You read incorrectly, again. You can add any certificates you want to your machines. You just can't get Microsoft to make them publicly available for distribution by MS without convincing them that doing so is worthwhile for Microsoft, which makes perfect sense. I hope this is only part of the story, and that user options to accept some certs (even if they are not accepted by Microsoft) and reject others (even if they are accepted by Microsoft) still exist in some usable form. They do. Look under Internet Options in Internet Explorer.
Re: Certificate / CPS issues
Bob, Yes I know, but how many of the vocal minority were pointing to the IPv4 addrss space issue as the achillies heel? Pki works if you know how to make it work. The fact that some in this forum don't know how to make it work for free does not devalue the concept. The ietf is doing a good job these days on avoiding insecure protocols. It is doing a lousy job creating secure protocols that can be used by real people. The perfect is the enemy of good security -Original Message- From: Bob Braden Sent: Sun Jun 08 20:09:35 2003 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject:Re: Certificate / CPS issues * From [EMAIL PROTECTED] Sun Jun 8 18:27:12 2003 * From: Hallam-Baker, Phillip [EMAIL PROTECTED] * To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] * Subject: Re: Certificate / CPS issues * Date: Sun, 8 Jun 2003 18:16:32 -0700 * MIME-Version: 1.0 * X-AntiVirus: scanned by AMaViS 0.2.1 * * Lets try a thought experiment. Imagine for a moment someone came to this * forum in 1990 proposing say lossy packet routing could never possibly work * because nobody could rely on such a system, pointing out that the Internet * was minute compared to the telephone system and that therefore the Internet * could never possibly be built. Furthermore the fact that the OSI networking * stack was poorly specified and X.500 would inevitably fail meant that the * Internet could not possibly work. * Actually, in 1990 a vocal set of people *were* saying exactly those things. Bob Braden
RE: Certificate / CPS issues
serious problems with the PGP model. PGP model offers a lower risk, since I can choose to trust the claimed person or not. I know PGP, may not scale globally.
RE: Certificate / CPS issues
Pkix is busy grafting the pgp model on top in the shape of cross certificates. I dispute the lower risk claim. You have more control. More control does not mean less risk. -Original Message- From: Haren Visavadia Sent: Mon Jun 09 10:35:58 2003 To: 'Hallam-Baker, Phillip'; [EMAIL PROTECTED] Subject:RE: Certificate / CPS issues serious problems with the PGP model. PGP model offers a lower risk, since I can choose to trust the claimed person or not. I know PGP, may not scale globally.
RE: Certificate / CPS issues
Also, remember that a signature merely proves the signed data and the public key were accessible to a computational device at the same time. This is a LONG stretch from actually meaning you signed it intentionally. See Schneier's Secrets and Lies, there's a whole chapter on this point, or just wait till somebody you know gets nailed with the next Sobig/Nimda/Klez or whatever, and ask if any of the mail they sent out was intentional. ;) You are telling if someone else was given a certificate in my name and signed a virus code and distributed it. I would go to jail for it because it was signed in my name. I would challenge the law altogether and fill in a complaint against the government for this.
RE: Certificate / CPS issues
a digital signature *could* be binding even if it's invalid If it is legal binding, when if the CA signs my certificate would also be a legal blinding act? Since a certificate is a document that has a digital signature. False certification would make CA in trouble regardless of their disclaimer.
Re: Certificate / CPS issues
I suggested a few month ago that the PKI to become gPKI should be supported by the DNS system by using special DNS records and an ldap naming scheme. In short (go in the archive and look for GLOBAL PKI on DNS), I want to send you an e-mail so I query the DNS with the domain bbn.com and it reply to me that the PKI for this domain is located at ldap://computer.bbn.com/ I then query this ldap server to extract your public key/ certificate. The certificate of the PKI of bbn.com would have been signed by the PKI of com which would have been signed by the PKI of the root servers. The DNS does not carry at any time a certificate (too big) The DNS here is only offering a location service (small DNS records/transfers) Cheers Franck On Sat, 2003-06-07 at 06:12, Al Arsenault wrote: While I'm in general a fan of PKI, and agree with some of what Phill has to say, a number of things should be kept in mind: 1 - a number of popular applications have been designed to work a large variety of trusted root certificates, by default. For example, I just popped up the list of trusted root certificates marked trusted by default in IEv6. I probably miscounted, but I got 106. (YMMV, depending on version, or if you use a different browser, or...) From a whole bunch of different sources. 2 - a number of the entities behind those trusted roots go out of business, or become somebody else, or... A quick quiz, based on the root certs from IEv6 (yes, I know the answer to these questions, but I've been working in the PKI area for over 15 years - how about most people): - who owns the private keys associated with those 3 GTE Cyber Trust root certificates? - what is that company doing that will conclude by June 30? - what about the private keys associated with those four Equifax Secure root certificates? - there are at least 10 trusted root certificates marked signed by DST. What happened to DST? - there are six certificates marked as being from Thawte. Who's Thawte? - what about Xcert? -- Franck Martin [EMAIL PROTECTED] SOPAC
Re: Certificate / CPS issues
On Sun, 08 Jun 2003 11:11:28 BST, you said: You are telling if someone else was given a certificate in my name and signed a virus code and distributed it. I would go to jail for it because it was signed in my name. Check with a lawyer - and note that the spammers are *already* using things like Jeem trojans to relay their spam. If they've got that much of a foothold on your machine, adding code to sign the spam with your private key is pretty trivial, really I would challenge the law altogether and fill in a complaint against the government for this. There are any number of good political activism groups that will assist you with that pgp0.pgp Description: PGP signature
Re: Certificate / CPS issues
Lets try a thought experiment. Imagine for a moment someone came to this forum in 1990 proposing say lossy packet routing could never possibly work because nobody could rely on such a system, pointing out that the Internet was minute compared to the telephone system and that therefore the Internet could never possibly be built. Furthermore the fact that the OSI networking stack was poorly specified and X.500 would inevitably fail meant that the Internet could not possibly work. Imagine what the response would be. Perhaps a pointer to an existence proof? Perhaps RTFM? Yes, there are serious problems with the PKIX model, there are also serious problems with the PGP model. There are even bigger problems with the 'X.500 will come and solve the problems of PKI model'. That is why all the major PKI vendors have abandonded those models (OK some cling to X.500 but only to suck up to customers, they don't believe in that stuff any more than I do). PKI is doing just fine thank you. If you need one to solve a specific problem it can be done. If you start from the position that any solution must be entirely costless you will have problems, but if you are realistic there are solutions that save cost overall. You are telling if someone else was given a certificate in my name and signed a virus code and distributed it. I would go to jail for it because it was signed in my name. Check with a lawyer - and note that the spammers are *already* using things like Jeem trojans to relay their spam. If they've got that much of a foothold on your machine, adding code to sign the spam with your private key is pretty trivial, really IANAL... and neither it appears are you... According to the ABA digital signature guidelines a digital signature should create a REBUTTABLE presumption of validity. That is exactly the same as the standard for a written signature, it is assumed to be valid unless you affirmatively claim it to be invalid. You might well have other issues if your machine is cracked and used to attack someone else. There might be claims of negligence etc. but I am not aware of such claims being made in cases to date... The grandmother loses her private key and loses her house thing was analyzed to death when the laws were being written. You probably don't want to ever use S/MIME as a mechanism to create promiscuous contracts. You might however want to use the fact that all your emails are S/MIME signed to defend yourself against claims that someone appropriated your signature. Phill
Re: Certificate / CPS issues
On Sun, 08 Jun 2003 18:16:32 PDT, Hallam-Baker, Phillip [EMAIL PROTECTED] said: According to the ABA digital signature guidelines a digital signature should create a REBUTTABLE presumption of validity. That is exactly the same as the standard for a written signature, it is assumed to be valid unless you affirmatively claim it to be invalid. Yes, I'm sure those guidelines are all well and good and clearly thought out. The problem is that what actually gets *LEGISLATED* may be a totally different story - wander over to Ed Felton's www.freedom-to-tinker.org and read up on the so-called 'Super-DMCA' which has, according to an number of people, made NAT and firewalls technology illegal in Michigan. No, I'm *not* a lawyer - but I would be quite surprised if in *no* jurisdictions did the legislature unwittingly pass equally silly legislation regarding digital signatures - which is why I said Check with a lawyer. pgp0.pgp Description: PGP signature
RE: Certificate / CPS issues
Yes, I'm sure those guidelines are all well and good and clearly thought out. The problem is that what actually gets *LEGISLATED* may be a totally different story Well why not go and find out rather than raising a theoretical problem that probably does not exist? Most of the digital signature legislation was passed four or five years ago. Phill
Re: Certificate / CPS issues
* From [EMAIL PROTECTED] Sun Jun 8 18:27:12 2003 * From: Hallam-Baker, Phillip [EMAIL PROTECTED] * To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] * Subject: Re: Certificate / CPS issues * Date: Sun, 8 Jun 2003 18:16:32 -0700 * MIME-Version: 1.0 * X-AntiVirus: scanned by AMaViS 0.2.1 * * Lets try a thought experiment. Imagine for a moment someone came to this * forum in 1990 proposing say lossy packet routing could never possibly work * because nobody could rely on such a system, pointing out that the Internet * was minute compared to the telephone system and that therefore the Internet * could never possibly be built. Furthermore the fact that the OSI networking * stack was poorly specified and X.500 would inevitably fail meant that the * Internet could not possibly work. * Actually, in 1990 a vocal set of people *were* saying exactly those things. Bob Braden
RE: Certificate / CPS issues
OK, so what happens when someone else uses my address, perhaps using my passport, captured from some mail sent by me to someone? I think the term of art is being Joe Jobbed. Every now and then, I get a bounced report that claims something I sent is being returned, but it was not sent by me. This something is most often spam sent to someone else. Sometimes it contains a virus. Apparently this is a trick to get me to open it. The CA holds no warranty, making the certificate invalid in legal terms, since they can not prove the certificate is yours.
Re: Certificate / CPS issues
I hereby request the list management to remove Anthony's email address from the subscriber list, so as to not expose the IETF to liability. Too late ... my incredibly valuable service mark has already been distributed to the list many times in the headers of my messages. Clearly this dilutes the well-nigh awe-inspiring value of the mark and impacts the staggering commercial value of my business. Hmm.. maybe that's not the right attitude, Anthony. I agree. But that's exactly what Habeas is trying to do. It's pretty clear that there's a fair-use exemption if you actually want to USE that domain name for anything. Fair use doesn't apply to trademarks and service marks. Given that the song Happy Birthday was/is copyrighted ( don't know when it expires, especially after the whole Sonny Bono thing), I'd say that any haiku that the Habeas crew comes up with qualifies. Not necessarily. The Habeas haiku comes closer to a business form or boilerplate text in a contract, which is not necessarily protected by copyright. Additionally, it's not clear that the appearance of the haiku in (normally invisible) message headers is an infringement, even if it is covered by copyright. Overally, there are just too many questions in this case, and the intent to pervert copyright law is patent. It's difficult to quarrel with the copyrightable nature of Happy Birthday and the infringing nature of unauthorized performances; but it is easy to quarrel with Habeas' bizarre distortion of IP law, and hopefully it would not hold up in court, as it sets a bad precedent and would significantly chill freedom of speech if it were upheld. And although you may find the creative use of the law distasteful, to state that their claims are 'invalid prima facie', you need to be able to show that they are in fact invalid. The haiku in question is trivial, like the title of a book. Additionally, it is not published in the normal course of e-mail routing. Users do not see it, and simple transmission of the work is not necessarily infringement (after all, the transmission of Web pages to your PC is not infringement, either, and even caching of pages seems to be okay). Just about every principle of and behind copyright protection is being ignored by Habeas. Odd that Habeas considers this okay, but if spammers went to the same lengths to distort the law to their own ends, people would form lynch mobs. I guess the law is great when it protects you, but bad when it protects someone else, eh? Let's see... are the haiku original? Do they meet the Bern Convention requirements for copyrightability? Each message posted to this list is more subject to copyright than Habeas' haiku. In fact, the error messages I sent to domains that I reject in sendmail are more validly protected by copyright than this haiku, and domains that receive the messages and communicate them to end users are infringing my copyright. If that sounds absurd, keep in mind that it is no more absurd than the ideas promoted by Habeas. Note that major companies have had *no* trouble enforcing copyright/trademark on slogans as short as it's the real thing or you deserve a break today. Actually, they do. First of all, short phrases like this are not protected by copyright; copyrighted works must be non-trivial. And as trademarks, they are protected only in narrow contexts (those that might lead to confusion in the minds of consumers, or those that might dilute the value of the marks for their proprietors). It may not be what the founding fathers had in mind in 1790, and it may not match what you *wish* it was, but it's how the *current* laws are held to read as of today. No, they aren't. See above. Think about Xerox, Coke, and Aspirin, for example. Barring a major judicial reversal (such as was attempted in Eldred), we're all stuck with the current laws as currently interpreted. Habeas has not been tested, and there are no highly relevant guiding precedents (I think). IANAL, but it looks to me like the Habeas crew is on fairly strong legal footing. On the contrary, they appear to be treading on extremely thin ice. But only a legal test will say for sure. Also, they're not trying to stop spam directly. They're providing two services: (a) a header tag that you can use to filter your inbound mail for *NON*-spam, and (b) the chance for any spammers to spend enough money on legal fees to render it unprofitable. And what if I consider unnecessary headers in my incoming e-mail as spam? Then what? Can I sue or prosecute Habeas? If not, why not? After all, that application of law would be no less farfetched than Habeas' own attempted application of IP law.
Re: Re[2]: Certificate / CPS issues
Richard writes: i might add that the CEO of Habeas, Anne Mitchell, is an actual lawyer. So? Is she the _only_ lawyer?? There are probably any number of lawyers who would enjoy eating Habeas for breakfast. i am not familiar with Anthony's credentials in the field of law. casually throwing legal terms about does not impress. Neither does distorting legal principles in an attempt to control spam. this email happens to have Habeas headers, so i presume that he will not see it if he is throwing such mail out the way he says he will. I haven't started filtering on it, since Habeas really doesn't appear on the radar to speak of.
Re: Certificate / CPS issues
Valdis writes: ... the biggest question is which spammer (if any) is willing to risk the lawsuit to find out. There might be quite a few. It might be easy to have Habeas' claims invalidated, and it would be worthwhile to spammers to get that out of the way. Additionally, some organizations might back them, such as the DMA or the ACLU. The same thing is going on currently over on the patent law side of the fence - companies will just fold and pay the licensing fees rather than fight an obviously bogus patent. They aren't choosing between fighting and going out of business, though. Would Habeas license its haiku to spammers?
Re: Certificate / CPS issues
On Sat, 07 Jun 2003 08:30:34 BST, Haren Visavadia [EMAIL PROTECTED] said: The CA holds no warranty, making the certificate invalid in legal terms, since they can not prove the certificate is yours. IANAL, but you better check with a lawyer on that one. Depending where you live, a digital signature *could* be binding even if it's invalid... Yes, there's some broken legislation out there... Also, remember that a signature merely proves the signed data and the public key were accessible to a computational device at the same time. This is a LONG stretch from actually meaning you signed it intentionally. See Schneier's Secrets and Lies, there's a whole chapter on this point, or just wait till somebody you know gets nailed with the next Sobig/Nimda/Klez or whatever, and ask if any of the mail they sent out was intentional. ;) pgp0.pgp Description: PGP signature
Certificate / CPS issues
The CPS states the authentication processes that the CA uses in issuing the certificate or otherwise certifying the key (amongst other things). You can trust the CPS in the sense that the CPS of a well known CA should provide you with a reliable indication of the level of risk involved in relying on the certificate. Yes there are ways to get hold of a certificate even if you are a bad person. In the credit card world every transaction carries insurance, so the risk is acceptable. In the spam control world the risk is that you get spammed, a problem but hardly a mission critical, can never happen compromise. In the Web Services world someone can steal goods or services, a real problem - so expect Web Services PKI services to be based on PKI models such as XKMS where insurance can be sold with each transaction. Ok so imagine the spam sender registers a bogus company, sends spam. What is the redress, how long can they get away with it and how easy will it be to get a replacement certificate? It is likely that spam senders are going to get caught pretty quickly, within the first 100,000 messages or so. Spam a honeypot, get your credentials revoked. In theory you could revoke at that point. For technical reasons I won't bore you with it is more likely you would want to not revoke the cert and instead revoke a 'trustworthy sender' attribute. This can still be advertised through XKMS. It is even possible to push the revocation notice out so that the emails can be retrospectively quarantined, this would require new protocol. A spam sender could attempt to use disposable certificates in the same way that IP addresses and dialup accounts are considered disposable. This is unlikely to work for long, the spam sender can set up lots of shell companies at the same address but if the CA keeps authenticating to the same address or phone number the pattern will soon become apparent. There is even an empirical measurment of how effective a CA's processes are. Just look at the scores that spamBayes is assigning to certs from different CAs. The zero-Authentication CAs will quickly be attacked by spam senders. Phill
RE: Certificate / CPS issues
Verisign's declaimer which is part of the CPS. This would the CA simply endorses the subscriber's information. How can you trust a CA with a disclaimer like this? VERISIGN DISCLAIMS ANY WARRANTIES WITH RESPECT TO THE SERVICES PROVIDED BY VERISIGN HEREUNDER INCLUDING WITHOUT LIMITATION ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. VERISIGN MAKES NO REPRESENTATION OR WARRANTY THAT ANY CA OR USER TO WHICH IT HAS ISSUED A DIGITAL ID IN THE VERISIGN SECURE SERVER HIERARCHY IS IN FACT THE PERSON OR ORGANIZATION IT CLAIMS TO BE WITH RESPECT TO THE INFORMATION SUPPLIED TO VERISIGN. VERISIGN MAKES NO ASSURANCES OF THE ACCURACY, AUTHENTICITY, INTEGRITY, OR RELIABILITY OF INFORMATION CONTAINED IN DIGITAL IDS OR IN CRLs COMPILED, PUBLISHED OR DISSEMINATED BY VERISIGN, OR OF THE RESULTS OF CRYPTOGRAPHIC METHODS IMPLEMENTED.
Re: Certificate / CPS issues
Verisign's declaimer which is part of the CPS. This would the CA simply endorses the subscriber's information. How can you trust a CA with a disclaimer like this? You can't. Furthermore, Verisign already compromised its trust model in the worst way some time ago when it let a complete stranger obtain a Microsoft signing certificate. Since then, I've pretty much written them off as far as trustworthiness goes.
RE: Certificate / CPS issues
Furthermore, Verisign already compromised its trust model in the worst way some time ago when it let a complete stranger obtain a Microsoft signing certificate. The trust model comprised due to failure on the CA's part. The CA had failed to successfully identify who the person before issuing the certificate. This is one accident, but many more could occur in the future, resulting potentially fake certificate which could being used, to sign e-mail. Therefore the signature would not identify who the person is really.
Re: Certificate / CPS issues
At 12:12 05/06/03 -0700, Hallam-Baker, Phillip wrote: A spam sender could attempt to use disposable certificates in the same way that IP addresses and dialup accounts are considered disposable. This is unlikely to work for long, the spam sender can set up lots of shell companies at the same address but if the CA keeps authenticating to the same address or phone number the pattern will soon become apparent. Hmmm... is there an economic play here? background First, briefly, my view of the spam situation. I don't think it's fundamentally an Internet protocol design issue (though some design tweaks may help). Essentially, I think people currently have the choice of (1) putting filters in place and accept the loss of some non-spam mail, or (2) accepting a deluge of spam, and not lose any mail. In practice, I think this option doesn't exist, because I find that (lacking spam filters) I do lose a few pieces of non-spam mail because I don't recognize the sender or subject. So I see a way forward to be a passport mechanism to reliably bypass automated spam filters, a kind of whitelist++. /background So back to my question: is there an economic play here? (I was offered the opinion once that a big *disadvantage* of email compared with fax for business transactions was that it has almost zero incremental cost of use.) I'm thinking of a cert issued for a small sum of money, without any authentication other than the purchaser promises something like I promise not to spam with this certificate. At the earliest evidence of it being used for spamming, it is revoked. The price should be small enough to be accessible to any reasonable person, but high enough that the bill for daily or hourly renewal would become significant. Maybe crazy, just thinking aloud... #g --- Graham Klyne [EMAIL PROTECTED] PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E
RE: Certificate / CPS issues
Yes, the CPS disclaims all WARANTIES. You do not want a CA that provides a recourse that depends on finding of fault. WARANTIES are a specific legal instrument that provides recourse through the courts under theories of merchantability and negligence. So you have to PROVE the CA did something wrong... you don't want that. What you want is insurance, read the relying party agreement. That specifically provides insurance for certain specific failures. In other words a NO-FAULT dispute procedure. Do you think that folk signing PGP keys are undertaking unlimited liability should the certification turn out to be incorrect? Folk use our $15 a year certificates for some hair raising stuff. There is a certain organization that moves very large sums of money every day whose PKI consists of buying a few hundred certs from our consumer site via credit card. So don't expect anyone to accept unlimited liability for a fixed $15 fee. If you want to have insurance on a per transaction model you have to go to an online technology. That is one of the many reasons we designed OCSP and then XKMS. I think the real problem here is that folk are demanding something that is impossible. They want a PKI that is entirely costless, failure free and provides unlimited liability. If you set that as the standard for existence of a global PKI then you are never going to see one. Security is risk control, not risk elimination. Phill
RE: Certificate / CPS issues
Regarding a passport mechanism, have you taken a look at www.habeas.com? Specifically, they offer such a this is not spam warrant mark, and the pricing for individuals is free. The trick is that they use copyright and trademark law as the enforcement mechanism. (NB: I helped start the company.) - dan -- Dan Kohn mailto:[EMAIL PROTECTED] http://www.dankohn.com/ tel:+1-650-327-2600 -Original Message- From: Graham Klyne [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 03:50 To: Hallam-Baker, Phillip; '[EMAIL PROTECTED]' At 12:12 05/06/03 -0700, Hallam-Baker, Phillip wrote: A spam sender could attempt to use disposable certificates in the same way that IP addresses and dialup accounts are considered disposable. This is unlikely to work for long, the spam sender can set up lots of shell companies at the same address but if the CA keeps authenticating to the same address or phone number the pattern will soon become apparent. Hmmm... is there an economic play here? background First, briefly, my view of the spam situation. I don't think it's fundamentally an Internet protocol design issue (though some design tweaks may help). Essentially, I think people currently have the choice of (1) putting filters in place and accept the loss of some non-spam mail, or (2) accepting a deluge of spam, and not lose any mail. In practice, I think this option doesn't exist, because I find that (lacking spam filters) I do lose a few pieces of non-spam mail because I don't recognize the sender or subject. So I see a way forward to be a passport mechanism to reliably bypass automated spam filters, a kind of whitelist++. /background So back to my question: is there an economic play here? (I was offered the opinion once that a big *disadvantage* of email compared with fax for business transactions was that it has almost zero incremental cost of use.) I'm thinking of a cert issued for a small sum of money, without any authentication other than the purchaser promises something like I promise not to spam with this certificate. At the earliest evidence of it being used for spamming, it is revoked. The price should be small enough to be accessible to any reasonable person, but high enough that the bill for daily or hourly renewal would become significant. Maybe crazy, just thinking aloud... #g --- Graham Klyne [EMAIL PROTECTED] PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E ___ This message was passed through [EMAIL PROTECTED], which is a sublist of [EMAIL PROTECTED] Not all messages are passed. Decisions on what to pass are made solely by Raffaele D'Albenzio.
RE: Certificate / CPS issues
On 6/6/03 at 7:41 AM -0700, Phillip Hallam-Baker wrote: Do you think that folk signing PGP keys are undertaking unlimited liability should the certification turn out to be incorrect? No, but if Mary turns out to be someone who signs PGP keys for people I don't like, I can simply say Don't trust Mary in my PGP application and the things she signs won't show up as valid unless someone I do trust signs them. If RSA screws up and signs keys for people I don't like, I can't (practically) say Don't trust RSA without invalidating a bunch of keys that I probably do want to trust. I'm not by any means saying that PGP is a perfect solution. It's just that the liability scenario is very different because amount of damage any given signer can do is much different. pr -- Pete Resnick mailto:[EMAIL PROTECTED] QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
Re: Certificate / CPS issues
Dan Kohn wrote: Regarding a passport mechanism, have you taken a look at www.habeas.com? Specifically, they offer such a this is not spam warrant mark, and the pricing for individuals is free. The trick is that they use copyright and trademark law as the enforcement mechanism. I'm surprised that Habeas has caught on even to the extent it has, as I see a fatal flaw in this use of copyright to get legal control. It is reminiscent of a legal case I recall where a games console refused to execute any game unless a certain copyright notice (ascribing copyright to the console manufacturer) appeared in a known location in the game ROM. Third-party game manufacturers put the notice in their games, and were hauled into court. The court held that the copyright notice in question was a functional part of the interface between the game and the console, and that this overrode its normal semantic of signifying copyright ownership. The notice that the console looked for therefore didn't mean anything legally, and the notice elsewhere in the game (the real notice, ascribing ownership to the game manufacturer) was the legally significant one. What Habeas does is akin to publishing a protocol or file format in a copyrighted document, and then suing implementors of the protocol for copying sections of protocol data from the document. It's mixing expression with content (copyright protects one and not the other). We wouldn't stand for it if Microsoft did that, and I don't think the courts would either. In fact, Microsoft has tried things very similar to this, and we didn't stand for it. I'm astonished that members of this overwhelmingly pro-freedom and pro-reverse-engineering subculture have themselves tried to deploy exactly the same odious trick. Although I approve of Habeas' aims, for the sake of our freedoms I hope that their technique is held to be ineffective. FWIW, my spam filter picks up Habeas headers as a strong ham indicator, appearing in 0.4% of ham in my corpus and not at all in spam. I'm waiting to see which of these numbers is going to increase more significantly. -zefram -- Andrew Main (Zefram) [EMAIL PROTECTED]
RE: Certificate / CPS issues
Signs keys for people you don't LIKE? I give (well sell) certs to plenty of people I don't LIKE. That is not the issue, the issue is whether the authentication proceedure is being applied as stated in the CPS or not. If a bogus certificate is issued and the CA refuses to revoke it then you have a big problem. In your scenario what happens if you find out that Ted Tso or Jeff Schiller has signed a bogus key. Do you then revoke every key they ever issued on that account? Please remember here that we are trying to solve the spam problem here. The guys sending the stuff are organized criminals. It is bad if even one criminal spam gets through. But it is also bad if you can't use email unless you go pay $10,000 to some email good practice accreditation agency (yes thay is what they charge). So yes we can use certificates to address the spam problem, but don't expect the criteria to be set at military security levels. Most people simply won't pay for that. Phill -Original Message- From: Pete Resnick [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:10 PM To: Hallam-Baker, Phillip Cc: '[EMAIL PROTECTED]' Subject: RE: Certificate / CPS issues On 6/6/03 at 7:41 AM -0700, Phillip Hallam-Baker wrote: Do you think that folk signing PGP keys are undertaking unlimited liability should the certification turn out to be incorrect? No, but if Mary turns out to be someone who signs PGP keys for people I don't like, I can simply say Don't trust Mary in my PGP application and the things she signs won't show up as valid unless someone I do trust signs them. If RSA screws up and signs keys for people I don't like, I can't (practically) say Don't trust RSA without invalidating a bunch of keys that I probably do want to trust. I'm not by any means saying that PGP is a perfect solution. It's just that the liability scenario is very different because amount of damage any given signer can do is much different. pr -- Pete Resnick mailto:[EMAIL PROTECTED] QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
RE: Certificate / CPS issues
On Fri, 6 Jun 2003, Hallam-Baker, Phillip wrote: Security is risk control, not risk elimination. Absolutely! Extending that thought, managing risk is about the cost of loss vs. the cost of protection. Humans make mistakes. Systems fail. Sammy Sousa used the wrong bat. The suttles failed. To reject a service because you have one presumed example of failure is not realistic. A pattern of failures would be an issue, just like you might avoid purchase of an automobile if Consumer Reports failure statistics are abnormally high. For the objectives we are discussing, I think the failure rate at Verisign is not an issue. Most (perhaps all) folks in this discussion seem to agree that the issue with spam is in the volume and not the mere existance of spam. Social scientists could probably study the parallel growth of spam and the corresponding growth in frustration and even end up with a volume of spam which most people would be comfortable with. I strongly suspect that reducing and keeping spam at 10% of current levels would probably be success. Certainly, 1% would be. On that premis, I'm certain it doesn't matter if 1 of the current 200 heavy duty spammers gets a fraudulant certificate. That might make final identification more difficult, but most of the other mechanisms will still function. 1. Proof of common source of the quantity of emails needed to be ruled as illegal 2. Source based filtering can still block mail identified with the cert 3. Once the fraud is discovered, the CA is likely to have process in place to avoid issuing new certs to the same entity The last time I investigated, Verisign had certificates of different types with different prices and levels of identification verification. Even the cheapest have some cost and since I doubt that Verisign accepts cash payment, there is identity associated with the payment. Worst case is a stolen credit card is used to make payment. Since that is an immediate felony, it may actually be the best case from anti-spam perspective. Because of this cost (and the difficulty of obtaining and risk of using a large number of stolen credit cards), it seems less likely that spammers will follow the scenario of obtaining a large number of throw away certificates. Conclusion, I don't see the less than 100% trustworthiness of any CA to be an impediment to the use of certificates as part of an email origin identification scheme. Only a fool would accept a self-signed certificate as having any significance so I think the suggestion that the ability of a spammer to generate their own storm of certificates has little merit. Dave Morris
RE: Certificate / CPS issues
Do you think that folk signing PGP keys are undertaking unlimited liability should the certification turn out to be incorrect? The biggest difference between PGP and X.509, is that in PGP I can choose the level of trust. X.509 is based on doctorial model, where my browser is forced into trusting the certificate from a server.
Habeas (was: Certificate / CPS issues)
Zefram [EMAIL PROTECTED] wrote: I'm surprised that Habeas has caught on even to the extent it has, as I see a fatal flaw in this use of copyright to get legal control. It is reminiscent of a legal case I recall where a games console refused to execute any game unless a certain copyright notice (ascribing copyright to the console manufacturer) appeared in a known location in the game ROM. Third-party game manufacturers put the notice in their games, and were hauled into court. The court held that the copyright notice in question was a functional part of the interface between the game and the console, and that this overrode its normal semantic of signifying copyright ownership. Where this analogy breaks down, is that Habeas is not interfering with the functionality of non-Habeas email. First, what to do with marked or unmarked email is entirely up to the recipient (or his ISP, or whoever else is doing spam filtering). Second, it is not saying everything else is spam (and therefore delaying it getting through, except by comparison), just this is not spam. A better analogy would be, say, any sort of optional certification. You're perfectly welcome to buy electrical devices not approved by Underwriters Laboratories, but if you (or your electrician, or purchasing department) DO insist on UL-approved devices, you'll have a lower risk of shorts, shock, fire, etc. I don't know for sure, but I ass-u-me UL would take a Very Dim View of manufacturers putting a UL-Approved label on devices that really weren't, and may have legal recourse through lawsuits asking for damages (especially punitive) that outweigh the faker's likely profit. FWIW, my spam filter picks up Habeas headers as a strong ham indicator, appearing in 0.4% of ham in my corpus Their web site explains the name, but I just gotta wonder if they were punning on that as well -- David J. Aronson, Unemployed Software Engineer near Washington DC See http://destined.to/program/ for online resume, and other info
RE: Certificate / CPS issues
I think the real problem here is that folk are demanding something that is impossible. They want a PKI that is entirely costless, failure free and provides unlimited liability. If you set that as the standard for existence of a global PKI then you are never going to see one. Folks will pay a certain amount providing the certificate validity period is not short time, for example issuing certificate that are valid for 2 years instead 1 year or provide many different validity periods for customers to choose from. The issue is of implementation of the system.
RE: Certificate / CPS issues
Pete wrote: No, but if Mary turns out to be someone who signs PGP keys for people I don't like. The job of the CA is NOT based on liking; it is one of authenticating the subscriber and issuing a certificate. The authentication of subscriber is defined by the CA's CPS.
RE: Certificate / CPS issues
On 6/6/03 at 9:48 AM -0700, Phillip Hallam-Baker wrote: Signs keys for people you don't LIKE? Well, I was referring to people who send spam, or aren't reputable business folk, or do any of a list of nasty things that I consider non-trustworthy. I should have put don't like in quotes. In your scenario what happens if you find out that Ted Tso or Jeff Schiller has signed a bogus key. Do you then revoke every key they ever issued on that account? I might. It depends. If I think it was a fluke incident, I might not. But, if I thought that Ted and/or Jeff were repeatedly signing keys for disreputable folks, I might very well mark their keys as untrusted and not trust keys that were solely signed by them. Or (if we start talking about pie-in-the-sky kinds of things), I could imagine my e-mail filters saying, Quarantine e-mail not signed by someone in this list of keys, and I might remove Ted and/or Jeff from that list of keys. Please remember here that we are trying to solve the spam problem here. That's not what *I* was doing here. I was simply trying to point out that the liability model was different for a web of trust than for CA trust. Whether using either method is more or less applicable to solving the spam problem is not something I'm willing to discuss in this forum. -- Pete Resnick mailto:[EMAIL PROTECTED] QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
Re: Certificate / CPS issues
While I'm in general a fan of PKI, and agree with some of what Phill has to say, a number of things should be kept in mind: 1 - a number of popular applications have been designed to work a large variety of trusted root certificates, by default. For example, I just popped up the list of trusted root certificates marked trusted by default in IEv6. I probably miscounted, but I got 106. (YMMV, depending on version, or if you use a different browser, or...) From a whole bunch of different sources. 2 - a number of the entities behind those trusted roots go out of business, or become somebody else, or... A quick quiz, based on the root certs from IEv6 (yes, I know the answer to these questions, but I've been working in the PKI area for over 15 years - how about most people): - who owns the private keys associated with those 3 GTE Cyber Trust root certificates? - what is that company doing that will conclude by June 30? - what about the private keys associated with those four Equifax Secure root certificates? - there are at least 10 trusted root certificates marked signed by DST. What happened to DST? - there are six certificates marked as being from Thawte. Who's Thawte? - what about Xcert? 3 - most users will never know enough to delete roots as no longer being trusted (or do what some of us do, and delete them all at system install time; then reinstall just the ones needed, on a need-to-exist basis). Since any cert that chains to any one of those roots will succeed silently in the default configurations of many popular applications, who will know? The point of this is that if you're going to use a PKI-based approach to combatting SPAM, you have to look at the whole problem, as it exists today. All it takes in the real world is a spammer (or friend of such) acquiring the private key associated with any trusted root cert in popular applications, and there you go - SPAM passes your tests/filters until you figure out how to remove the cert from the list of trusted ones. Not something that my mother will easily know how to do. Al Arsenault - Original Message - From: David Morris [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:01 PM Subject: RE: Certificate / CPS issues On Fri, 6 Jun 2003, Hallam-Baker, Phillip wrote: Security is risk control, not risk elimination. Absolutely! Extending that thought, managing risk is about the cost of loss vs. the cost of protection. Humans make mistakes. Systems fail. Sammy Sousa used the wrong bat. The suttles failed. To reject a service because you have one presumed example of failure is not realistic. A pattern of failures would be an issue, just like you might avoid purchase of an automobile if Consumer Reports failure statistics are abnormally high. For the objectives we are discussing, I think the failure rate at Verisign is not an issue. Most (perhaps all) folks in this discussion seem to agree that the issue with spam is in the volume and not the mere existance of spam. Social scientists could probably study the parallel growth of spam and the corresponding growth in frustration and even end up with a volume of spam which most people would be comfortable with. I strongly suspect that reducing and keeping spam at 10% of current levels would probably be success. Certainly, 1% would be. On that premis, I'm certain it doesn't matter if 1 of the current 200 heavy duty spammers gets a fraudulant certificate. That might make final identification more difficult, but most of the other mechanisms will still function. 1. Proof of common source of the quantity of emails needed to be ruled as illegal 2. Source based filtering can still block mail identified with the cert 3. Once the fraud is discovered, the CA is likely to have process in place to avoid issuing new certs to the same entity The last time I investigated, Verisign had certificates of different types with different prices and levels of identification verification. Even the cheapest have some cost and since I doubt that Verisign accepts cash payment, there is identity associated with the payment. Worst case is a stolen credit card is used to make payment. Since that is an immediate felony, it may actually be the best case from anti-spam perspective. Because of this cost (and the difficulty of obtaining and risk of using a large number of stolen credit cards), it seems less likely that spammers will follow the scenario of obtaining a large number of throw away certificates. Conclusion, I don't see the less than 100% trustworthiness of any CA to be an impediment to the use of certificates as part of an email origin identification scheme. Only a fool would accept a self-signed certificate as having any significance so I think the suggestion that the ability of a spammer to generate their own storm of certificates has little merit. Dave Morris
RE: Certificate / CPS issues
Dave wrote: Only a fool would accept a self-signed certificate CA certificate is self-signed. Are you suggesting CA should cross sign each others certificates?
RE: Certificate / CPS issues
Al Arsenault: SPAM passes your tests/filters until you figure out how to remove the cert from the list of trusted ones. A filter could be set to filter out all e-mail containing a certain certificate, regardless of the trust chain.
Re: Certificate / CPS issues
At 12:40 06/06/03 -0700, Einar Stefferud wrote: OK, so what happens when someone else uses my address, perhaps using my passport, captured from some mail sent by me to someone? I think the term of art is being Joe Jobbed. Every now and then, I get a bounced report that claims something I sent is being returned, but it was not sent by me. This something is most often spam sent to someone else. Sometimes it contains a virus. Apparently this is a trick to get me to open it. I see a couple of differences: re-using someone's email address is easy ... I've had a flurry of 'bounces' recently for messages I certainly did not send. But the information to send those (deceitful) messages is very easily obtained. By putting some of the information behind a cryptrographic screen, it becomes harder for others to casually use it. And if security is compromised, then the cert gets revoked and the genuine owner has to buy another one. Hey, don't we occasionally lose theatre tickets? Tough, but not disastrous -- we just have to buy another one. Anyway, I think your Passport Scheme needs some more work. I'm sure it does! #g -- At 11:50 +0100 6/6/03, Graham Klyne wrote: At 12:12 05/06/03 -0700, Hallam-Baker, Phillip wrote: A spam sender could attempt to use disposable certificates in the same way that IP addresses and dialup accounts are considered disposable. This is unlikely to work for long, the spam sender can set up lots of shell companies at the same address but if the CA keeps authenticating to the same address or phone number the pattern will soon become apparent. Hmmm... is there an economic play here? background First, briefly, my view of the spam situation. I don't think it's fundamentally an Internet protocol design issue (though some design tweaks may help). Essentially, I think people currently have the choice of (1) putting filters in place and accept the loss of some non-spam mail, or (2) accepting a deluge of spam, and not lose any mail. In practice, I think this option doesn't exist, because I find that (lacking spam filters) I do lose a few pieces of non-spam mail because I don't recognize the sender or subject. So I see a way forward to be a passport mechanism to reliably bypass automated spam filters, a kind of whitelist++. /background So back to my question: is there an economic play here? (I was offered the opinion once that a big *disadvantage* of email compared with fax for business transactions was that it has almost zero incremental cost of use.) I'm thinking of a cert issued for a small sum of money, without any authentication other than the purchaser promises something like I promise not to spam with this certificate. At the earliest evidence of it being used for spamming, it is revoked. The price should be small enough to be accessible to any reasonable person, but high enough that the bill for daily or hourly renewal would become significant. Maybe crazy, just thinking aloud... #g --- Graham Klyne [EMAIL PROTECTED] PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E --- Graham Klyne [EMAIL PROTECTED] PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E
Re: Certificate / CPS issues
Dan writes: Regarding a passport mechanism, have you taken a look at www.habeas.com? Habeas represents one of the most egregious perversions of trademark and copyright law that I've ever encountered. Their copyright and trademark claims are invalid prima facie, and they hope to get their way by intimidation and distortion of the law to their ends. I cannot condone this, as it dramatically erodes the foundations of intellectual property law. Copyright law was intended to protect real, creative, original, non-trivial works of the mind for the benefit of their creators--and not as a techno-gadget to prevent spam. Trademark law was intended to protect the commercial value and goodwill of creative, real, original, non-trivial identifying marks for specific products and services--and not as a techno-gadget to prevent spam. I've love to see Habeas lose a couple of lawsuits. They are setting a very unhealthy precedent. Specifically, they offer such a this is not spam warrant mark, and the pricing for individuals is free. If I see that warrant mark on my incoming mail, I'll bounce it. The trick is that they use copyright and trademark law as the enforcement mechanism. That's just it: it's a trick, and a glaring abuse of intellectual property law. Incidentally, the name of my domain is a service mark, and so any e-mail coming to me from Habeas is an infringement on my service mark, since it will contain the name of my domain. You can't argue with this, since it is no less stupid than the premise conjured up by Habeas.
Re: Certificate / CPS issues
On Sat, 07 Jun 2003 00:45:37 +0200, Anthony Atkielski [EMAIL PROTECTED] said: Incidentally, the name of my domain is a service mark, and so any e-mail coming to me from Habeas is an infringement on my service mark, since it will contain the name of my domain. You can't argue with this, since it is no less stupid than the premise conjured up by Habeas. I hereby request the list management to remove Anthony's email address from the subscriber list, so as to not expose the IETF to liability. Hmm.. maybe that's not the right attitude, Anthony. ;) It's pretty clear that there's a fair-use exemption if you actually want to USE that domain name for anything. Copyright law was intended to protect real, creative, original, non-trivial works of the mind for the benefit of their creators--and not as a Given that the song Happy Birthday was/is copyrighted ( don't know when it expires, especially after the whole Sonny Bono thing), I'd say that any haiku that the Habeas crew comes up with qualifies. And although you may find the creative use of the law distasteful, to state that their claims are 'invalid prima facie', you need to be able to show that they are in fact invalid. Let's see... are the haiku original? Do they meet the Bern Convention requirements for copyrightability? Note that total doggerel is NOT a factor, as Sturgeon's Law would put 90% of everything in the public domain then. Note that major companies have had *no* trouble enforcing copyright/trademark on slogans as short as it's the real thing or you deserve a break today. It may not be what the founding fathers had in mind in 1790, and it may not match what you *wish* it was, but it's how the *current* laws are held to read as of today. Barring a major judicial reversal (such as was attempted in Eldred), we're all stuck with the current laws as currently interpreted. IANAL, but it looks to me like the Habeas crew is on fairly strong legal footing. Also, they're not trying to stop spam directly. They're providing two services: (a) a header tag that you can use to filter your inbound mail for *NON*-spam, and (b) the chance for any spammers to spend enough money on legal fees to render it unprofitable. pgp0.pgp Description: PGP signature
Re[2]: Certificate / CPS issues
On Fri, 06 Jun 2003 22:42:29 -0400 [EMAIL PROTECTED] wrote: IANAL, but it looks to me like the Habeas crew is on fairly strong legal footing. i might add that the CEO of Habeas, Anne Mitchell, is an actual lawyer. i am not familiar with Anthony's credentials in the field of law. casually throwing legal terms about does not impress. this email happens to have Habeas headers, so i presume that he will not see it if he is throwing such mail out the way he says he will. cheers, richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
Re: Certificate / CPS issues
You cannot get trademark protection for anything functional. To the extent that the Habeus magic words are used functionally, I do not think they are eligible for trademark protection. Ditto copyright: Works that may not be protectable by copyright include: short phrases and slogans, familiar symbols or designs, and other works lacking sufficient creativity or independent effort; designs of useful articles or products where the designs are not conceptually separable from the functional aspects of the article or product; works consisting only of information that is in the public domain; and blank forms and other works which are designed for recording information and which do not in themselves convey information. (source: American Law Institute - American Bar Association Continuing Legal Education April 10-11, 2003 Trademarks, Copyrights, and Unfair Competition for the General Practitioner and the Corporate Counsel COURSE OVERVIEW Ronald L. Panitch SH085 ALI-ABA 361) Functional things are eligible to be patented. Thus, I have grave doubts as to the strength of this footing under IP law. There might be alternate legal theories that would work a little better I could go into considerably greater detail as to why, and also as to what the counter-argument might look like, but I'd have to charge you... On Fri, 6 Jun 2003 [EMAIL PROTECTED] wrote: [...] IANAL, but it looks to me like the Habeas crew is on fairly strong legal footing. Also, they're not trying to stop spam directly. They're providing two services: (a) a header tag that you can use to filter your inbound mail for *NON*-spam, and (b) the chance for any spammers to spend enough money on legal fees to render it unprofitable. -- Please visit http://www.icannwatch.org A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's hot here.--
Re: Certificate / CPS issues
On Sat, 07 Jun 2003 00:39:37 EDT, Michael Froomkin - U.Miami School of Law said: You cannot get trademark protection for anything functional. To the extent that the Habeus magic words are used functionally, I do not think they are eligible for trademark protection. I stand corrected. :) Thus, I have grave doubts as to the strength of this footing under IP law. There might be alternate legal theories that would work a little better Of course, it's quite possible that Habeas's legal theory *is* a complete load of dingo's kidneys - the biggest question is which spammer (if any) is willing to risk the lawsuit to find out. The same thing is going on currently over on the patent law side of the fence - companies will just fold and pay the licensing fees rather than fight an obviously bogus patent. pgp0.pgp Description: PGP signature
