Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Identity Crisis, or "How safe am I?"

18 views
Skip to first unread message

Peter Kurrasch

unread,
Apr 20, 2012, 3:23:03 PM4/20/12
to dev-secur...@lists.mozilla.org
On Thu, Apr 19, 2012 at 9:48 PM, ianG <ia...@iang.org> wrote:

>
> Gerv made a point earlier that CAs will try and press the marketing claim
> that certificates are about identity. That is, the certificate makes a
> claim about a holder's identity.
>
> And that is as far as it goes.
>

I noticed the following quote in Peter Gutmann's X.509
Guide<http://www.cs.auckland.ac.nz/%7Epgut001/pubs/x509guide.txt>
:

The goal of a cert is to identify the holder of the
corresponding private key, in a fashion meaningful to
relying parties.
-- Stephen Kent

I guess this mindset has been around a while (since the 90s?) but in 2012
this is an outrageous claim to make!

The DigiNotar debacle last year was not some concern that "oh no, what I
thought was Google was actually Uncle Ahmadinejad's Bait-and-Tackle Shop."
No, the concern is that Uncle Ahmadinejad was now able to read my email!

This whole line of reasoning conveniently ignores the obvious reality that
we want to know who's key is what so that we may *use *that key for some
purpose--usually to provide some sort of protection.

If CA's hold to this belief that their sole purpose is identity then it
seems to me CABF should disband immediately because their job was finished
in X509v1.


Those questions are mostly rhetorical since I've seen some of the answers
>> appear in this forum. The point, then, is that I don't pay much attention
>> to the name box and I know that most other users won't. Therefore, I just
>> have to disagree with using the name+color scheme approach as a way to
>> convey to users "you are safe". Well, that plus the inherently in-flux
>> definition of "safe".
>>
>
> At some point you are assuming that the point of this is to convey to
> users that "you are safe." This is tough. Nowhere in the literature does
> it say that. Nowhere in BR or EV does its say "and now customers will be
> safe." Nowhere on a CA's website does it say "this will make you safe and
> secure."
>

Probably more than an assumption--a demand! End users are already assuming
and expecting that they are in fact safe.

I agree: saying "you are safe" is a tough bar to reach. What I was
probably thinking at the time is the need to distinguish between "for what
you are doing this is not safe" and "this looks like it's safe enough".
And yes, there is an objective element to that (strong cipher, valid cert,
etc.) as well as subjective (you're only trying to find a handyman to
install an elevator for your car collection vs online banking).

And while it may be a tough problem I see it as definitely solvable--or,
should I say, a problem Mozilla is in a position to solve in concert with
web/email admins and the CAs. But this problem is not a CA problem, so any
CA-oriented or CA-driven solutions are automatic non-starters. Users place
the expectations upon Mozilla software, and it is Mozilla software that
must place expectations upon the CAs.


BTW, this is an important discussion. Unwinding the marketing trap for CAs
> is essential to moving forward if there is a serious attack scenario
> (2011). The CAs cannot move to a fact-based offering when they are still
> trying to preserve their 1990s marketing-based image which relies on the
> word "trust". As trust - real human trust - diminishes in the secure
> browsing world, something has to replace it, and that cannot be an
> image-based campaign because such only work in rising trust, not falling
> trust.
>
>
> So I'll leave it there for now and will wait to hear from others.
>> Thanks.
>>
>
>
> Oh. others :) Apologies. Look, this is a really bad group to
> re-engineer user security on. This group is about the policy of adding
> existing CAs in the existing model to the browser's accept list.
>

No, you're definitely a part of "others"! Hopefully you don't think I'm
yelling at you, personally--I think we agree more than disagree on this
stuff.

I understand what you're saying about this list but I haven't found another
place that had a reasonably good set of participants as this forum has.
Plus I think Mozilla--through its security policy--is in a good position to
effect change unlike other places which seem to be just a bunch of talk.
But if I should take the conversation elsewhere, I will do so.
0 new messages