Oh, sorry, I just saw (after sending that email), that I didn't answer your question.
Why bother quoting it at all? Because whether the number is 600+ or 300+, it still serves to support the point that browsers will take the word of any one of over a hundred potentially untrustworthy strangers as "proof" that a connection to a website is secure. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Dec 16, 2013, at 5:48 PM, Tao Effect <[email protected]> wrote: > On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <[email protected]> wrote: >> >> Since the 600 number is inaccurate and not particularly necessary, why >> bother to quote it at all? > > Dude, how did you manage to ignore that entire email? > > One more time, since you somehow missed it: > >>> OK, in order for me to correct this in the paper I need the following >>> information: >>> >>> 1. A link to who "DFN" is. >>> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are >>> shipped with (and details about this, like, do all 3 major browsers include >>> DFN?) >>> 3. A link to a paper, a blog post, or an article somewhere that describes >>> in detail your side of the argument >>> > > > You cannot just say "the EFF is lying", throw your hands in the air, and > leave it at that. > > Unlike you, the EFF provided sources and proof for their claim. > > The then wrote a widely cited blog post containing their claim and their > evidence for it. > > Where is your blog post? Where is your evidence that the EFF is lying? > > These emails of yours don't cut it. Heck, I'd even post a link to an archived > email of yours if you provided the necessary information in it. > > - Greg > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <[email protected]> wrote: > >> When you make an assertion in a paper then you are accepting the burden of >> proof. >> >> >> If the source for the '600' claim was lying then the claim has to be taken >> off the table completely. The DFN root issue demonstrates that the >> methodology is bogus rather than just being a single inaccurate data point. >> >> If you want to make assertions about the number of CAs then the most >> accurate measure currently available is still the number of roots in the >> commonly used browsers. While there are a handful of CAs using roots cross >> certified by another CA, such CAs now have to have a full audit statement >> and meet all the acceptance criteria in their own right. So there would be >> little point in not applying to have the root entered in independently. >> >> Since the 600 number is inaccurate and not particularly necessary, why >> bother to quote it at all? >> >> >> >> >> On Mon, Dec 16, 2013 at 1:44 PM, Tao Effect <[email protected]> wrote: >>> Which kind of calls their credibility into question. HALF the 'CAs' in >>> their graph are from the DFN root. You can check that out for yourself, it >>> is a German CA that issues certs to higher education institutions. As has >>> been demonstrated (and agreed by the EFF people), DFN do not sign certs for >>> key signing keys they do not hold. >>> >>> You can't calculate the number of CAs the way the EFF tried to. An >>> intermediate certificate does not equate to a CA. Pretending it does to >>> peddle an alternative PKI scheme calls into question their veracity. >>> >>> I have tried to get members of the EFF board to look into this but they >>> never get back. Too much trouble to get it right. >> >> >> OK, in order for me to correct this in the paper I need the following >> information: >> >> 1. A link to who "DFN" is. >> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are >> shipped with (and details about this, like, do all 3 major browsers include >> DFN?) >> 3. A link to a paper, a blog post, or an article somewhere that describes in >> detail your side of the argument >> >> Let me emphasize that none of this ultimately matters to the points that >> were made in the paper. >> >> Whether the number is 600+ or 300+, it's still an insecure, broken mess. >> >>> I was under the impression that Bitcoin was the preferred currency of >>> libertopia. It is the only one that gets mention in the mainstream press. >>> It is not clear to me how namecoin can be part of BitCoin and another >>> currency. >> >> >> I'll be happy to clear this up: >> >> - Bitcoin is not the "market leader" of distributed DNS systems. Namecoin is. >> - Namecoin and Bitcoin are designed with completely different goals in mind. >> They are not competitors. >> - Namecoin is not intended to be a bitcoin replacement, nor the other way >> around. It is not like "litecoin" or any of the other bitcoin competitors, >> because it is not a competitor to bitcoin. >> >>> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by the >>> Feds. >> >> >> I'll be happy to clear this up too: >> >> None of these are comparable to Bitcoin or Namecoin. >> >> Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly >> decentralized, distributed currencies. >> >> - "Gold Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age >> - eGold: Centralized currency with no "reliable user identification" (not a >> problem with Bitcoin or Namecoin) >> - Liberty Reserve: Centralized currency >> https://en.wikipedia.org/wiki/Liberty_Reserve#Background >> >> People who are standing back and scratching their heads, wondering why >> Bitcoin is still around after years of being used to purchase illegal drugs, >> murder-for-hire, and weapons (continuing to this day btw), simply don't >> understand what Bitcoin is. >> >>> I might be a little more inclined to make an effort if you hadn't attacked >>> me as being 'fraudulent' in your opening. >> >> >> Do you represent a company that sells SSL certs? It seems like you might: >> >> During twelve years as Principal Scientist at VeriSign Inc., >> >> Perhaps the paper is a bit harsh (and I welcome suggestions to improve its >> language), but the critiques it levies against companies that sell SSL certs >> are completely valid: >> >> Companies that sell SSL certificates usually claim that their certificates >> provide customers with “security.” Customers are led to believe that these >> certificates protect browser-server communication from eavesdropping and >> tampering. As elaborated in this paper, this simply isn’t true today. >> >> I have to say, that among the cert companies websites that I looked at, >> VeriSign's homepage makes the fewest claims about the security protections >> it provides. >> >> The words "usually claim" leaves room for exceptions. I could not find, on >> the customer-facing pages on VeriSign's site, any claims that VeriSign's SSL >> certs "protect browser-server communication from eavesdropping and >> tampering." >> >> Some close calls are: >> >> In short, when it comes to securing online transactions, safeguarding >> customer information, and protecting business reputation, you're only as >> safe as the Certificate Authority you choose. >> https://www.symantec.com/ssl-certificates-advantages >> >> Customers Gain Confidence with the Green Address Bar: Online shoppers >> recognize the green address bar as an easy and reliable way to verify the >> site identity and security. >> https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates >> >> VeriSign's SSL certificates do not provide websites with meaningful >> protection as defined in the DNSNMC paper because they cannot be securely >> authenticated in the face of a fraudulent certificate that's presented to >> customers by a MITM. >> >> If your certs can simply be replaced by any of the other CAs out there, then >> *all* of the security they provide is thrown out the window. >> >> Furthermore, because VeriSign is a random third-party, not the company that >> user's visit when they visit a site using VeriSign's certificate, the >> protection offered by that certificate is inherently inferior to a securely >> authenticated self-signed certificate. >> >> This is simply mathematics, and not a point that's up for debate. >> >> When trust is distributed across more parties, that trust is diluted because >> it now depends on the least secure of those parties. >> >> Sidenote: >> >> It seems like I was sent "to the sharks" so to speak (perhaps as a practical >> joke?). >> >> So far almost half of the replies to this thread have come from >> representatives of SSL companies. >> >> The hostility is therefore no surprise. >> >> -- >> Please do not email me anything that you are not comfortable also sharing >> with the NSA. >> >> On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker <[email protected]> wrote: >> >>> >>> >>> >>> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <[email protected]> wrote: >>>> And for someone who is accusing others of being 'fraudulent', not a good >>>> move to start off repeating figures already exposed as bogus like the oft >>>> repeated but still untrue claim of 600 CAs. >>> >>> >>> I thought the EFF was a reputable source. >>> >>> There has been no update or correction to their post: >>> https://www.eff.org/deeplinks/2011/10/how-secure-https-today >>> >>> Which kind of calls their credibility into question. HALF the 'CAs' in >>> their graph are from the DFN root. You can check that out for yourself, it >>> is a German CA that issues certs to higher education institutions. As has >>> been demonstrated (and agreed by the EFF people), DFN do not sign certs for >>> key signing keys they do not hold. >>> >>> You can't calculate the number of CAs the way the EFF tried to. An >>> intermediate certificate does not equate to a CA. Pretending it does to >>> peddle an alternative PKI scheme calls into question their veracity. >>> >>> I have tried to get members of the EFF board to look into this but they >>> never get back. Too much trouble to get it right. >>> >>> >>>> Tying the notary log to namecoin seems to be completely pointless to me, >>>> unless the real objective is to promote namecoin. Why hook into namecoin >>>> rather than the market leader? >>> >>> >>> What market leader? >>> >>> I was under the impression that Bitcoin was the preferred currency of >>> libertopia. It is the only one that gets mention in the mainstream press. >>> It is not clear to me how namecoin can be part of BitCoin and another >>> currency. >>> >>> >>>> Given the success of the US government in shutting down eGold type schemes >>>> I am very skeptical about the stability of 'namecoin'. If we accept the >>>> purported scenarios that motivate the scheme then namecoin won't last very >>>> long. >>> >>> What eGold scheme are you comparing Namecoin to? >>> >>> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by the >>> Feds. >>> >>> >>> Are you sure you know what you're talking about here...? ;-) >>> >>> I must admit that I find the scheme completely confused and assumes that I >>> know a lot that I do not. >>> >>> I might be a little more inclined to make an effort if you hadn't attacked >>> me as being 'fraudulent' in your opening. >>> >>> >>> -- >>> Website: http://hallambaker.com/ >>> _______________________________________________ >>> therightkey mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/therightkey >> >> >> >> >> -- >> Website: http://hallambaker.com/ >> _______________________________________________ >> therightkey mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/therightkey > > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
