Re: Proposed CA certificate metapolicy - 7. threat models
Julien Pierre wrote: Actually having separate builds for localized versions is a can of worms in itself. Are the localized builds built from separate branches ? I was under the impression that they simply had additional language modules. The usual practice, I believe, is to swap out the language XPI and region XPI, and perhaps change the home page. Some places (like the Japanese) also apply patches for bugs which are really irritating in their locale. Gerv ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Frank Hecker has mentioned in his draft of a metapolicy that a threat model should be used. AFAIK, there is only a fairly poor attempt at a threat model for browser security, a great lack in the original design. Here is my attempt at a threat model: http://iang.org/ssl/browser_threat_model.html Comments welcome. One thing - I've not found any doco on how a threat model is written out, so I'm in the dark a bit. But, ignorance is no excuse for not trying... iang ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Gervase, Gervase Markham wrote: Frank Hecker wrote: There's still the trademark issue, but I don't see why this couldn't be handled consistently with other localization-specific changes. For example, if the Mozilla Foundation allows the creators of the France-localized version to include, say, default links to French search engines, and still use official Mozilla logos, etc., then I don't see why the Mozilla Foundation wouldn't also let them make changes to the list of included CA certificates, if there are good reasons for such changes. Removal wouldn't present a problem. Adding new CAs to the default list while still retaining our trademarks would be much more of a can of worms. Gerv Actually having separate builds for localized versions is a can of worms in itself. Are the localized builds built from separate branches ? I was under the impression that they simply had additional language modules. However, if you want a different list of trusted CA for each localized version, you may have to branch mozilla/security/nss/lib/ckfw/builtins for each country You won't just be able to install language modules, you will need to pick up new libnssckbi.so . ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Ian Grigg wrote: This points out the difficulty of correctly analysing the threat model that is appropriate. Consider American credit card holders, versus non-Americans holding credit cards, as discussed recently here. snip Which risk is a security modeller to pick? It's very tricky. I have no idea how in general the threat model we are considering might vary based on the country in which the user is based, the country or countries in which the certificate holder are based, and so on. The best I can hope to do is to provide some rough guidance to whomever has to worry about this. My initial thoughts on this are as follows: 1. The typical user to be considered in this context of this policy could vary from CA to CA, based on the composition of the customer base for the CA (i.e., the certificate holders) and/or the composition of the population of users who interact with those certificate holders. Rationale: If, for example, we're considering a CA that is based in a particular country and issues certificates mainly to people and businesses in that country, and if the Mozilla users interacting with those certificate holders are also in that country, then there might be country-specific issues (like those mentioned for France) that would tend to make the threat model somewhat different than it would be otherwise. If this is the case then the evaluators can take this into account when deciding whether or not to include the CA's certificate. 2. By default (i.e., in the absence of other considerations that might lead us to do otherwise) we will consider typical users in the context of the environment in the US. Rationale: The standard version of Mozilla released by the Mozilla Foundation also happens to serve as the US-localized version, and therefore it should take US-specific issues into account if and where that ever makes sense. If for some reason a decision taken in a US context doesn't make sense for users in other countries, then people doing localized versions of Mozilla for those countries can be given leeway to make their own decisions. Thus, for example, if we include a particular CA's certificate in the standard (US-localized) version of Mozilla, and the people doing the localized for France version don't think this is a good idea (based on the situaton in France), then there's no reason in principle why they couldn't remove that CA's certificate from the France-localized version. There's still the trademark issue, but I don't see why this couldn't be handled consistently with other localization-specific changes. For example, if the Mozilla Foundation allows the creators of the France-localized version to include, say, default links to French search engines, and still use official Mozilla logos, etc., then I don't see why the Mozilla Foundation wouldn't also let them make changes to the list of included CA certificates, if there are good reasons for such changes. Frank -- Frank Hecker hecker.org ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Julien Pierre wrote: [...] My experience is that's more protection than is afforded to credit cards in France. In particular, the quality of goods provision means that most US merchants have flexible return policies. I have tried returning stuff I bought that I was unhappy with in France (with a credit card). No luck : it's up to the merchant, there is no law that gives this right. [...] If this were a distance purchase, you have every right to return within 7 days : http://www.legifrance.gouv.fr/WAspad/RechercheSimpleArticleCode?code=CCONSOML.rcvart=L121-16 http://www.legifrance.gouv.fr/WAspad/RechercheSimpleArticleCode?code=CCONSOML.rcvart=L121-20 But not for brick and mortar commerce, it is indeed up to the merchant if you realize after purchase the product is not suited for your need and no replacement can solve the problem. Still Visa Gold and some other equivalent cards include a usually very little known and used, but still amazingly powerful insurance that enables you to get a full reimbursement if you're not satisfied with a purchase you made with the card. Anyway, this is drifting somewhat off-topic from the fraud subject. [...] Certainly :-) ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Hi, Jean-Marc Desperrier wrote: Julien Pierre wrote: [...] My experience is that's more protection than is afforded to credit cards in France. In particular, the quality of goods provision means that most US merchants have flexible return policies. I have tried returning stuff I bought that I was unhappy with in France (with a credit card). No luck : it's up to the merchant, there is no law that gives this right. [...] In my case it was brick and mortar. And the store wasn't willing to even exchange the item for something more suitable. The law was on their side. Still Visa Gold and some other equivalent cards include a usually very little known and used, but still amazingly powerful insurance that enables you to get a full reimbursement if you're not satisfied with a purchase you made with the card. Yes, but try actually using that insurance sometime. It typically has exclusions for foreign purchases. My US-issued platinum VISA credit card certainly did, so I was stuck with the item bought at retail in France, with no way to return or exchange it. I should have known not to buy retail. Anyway, end of this off-topic story. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Ian Grigg wrote: [...] Outside USA, most countries have laws on the books that put the banks in charge of fraudulent credit card transactions. Not so in America, it seems. I didn't say exactly that. I reported I heard the level of protection is lower in America, but I don't have the exact description of the difference, I might even be proven wrong. Or it might be different depending on the state. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Jean-Marc Desperrier wrote: Ian Grigg wrote: [...] Outside USA, most countries have laws on the books that put the banks in charge of fraudulent credit card transactions. Not so in America, it seems. I didn't say exactly that. I reported I heard the level of protection is lower in America, but I don't have the exact description of the difference, I might even be proven wrong. Or it might be different depending on the state. I also was surprised, so I asked someone who hopefully knows better (an american). It turns out that there are no laws on the books that specifically limit the liability of owners of credit cards, in the USA. At least, from that one person's perspective, I could also be wrong on this point, and we may want to dig further. However, I think the/your essential point has been made, which is the important thing - there is a different equation depending on which country you are in. That's new information for me. iang ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
Ian Grigg wrote: Jean-Marc Desperrier wrote: I didn't say exactly that. I reported I heard the level of protection is lower in America, but I don't have the exact description of the difference, I might even be proven wrong. Or it might be different depending on the state. I also was surprised, so I asked someone who hopefully knows better (an american). It turns out that there are no laws on the books that specifically limit the liability of owners of credit cards, in the USA. At least, from that one person's perspective, I could also be wrong on this point, and we may want to dig further. You got an incorrect answer. Please see : http://www.bankrate.com/brm/news/DrDon/20020617a.asp?keyword=CREDITCARDSauthorid=12firstn=Donmiddlen=lastn=Taylor * Unauthorized charges. Federal law limits your responsibility for unauthorized charges to $50; However, the protection only applies to credit cards (ie. line of credits) because it is part of the Fair Credit Billing Act. If you use a US debit card, you are not legally protected by this. In that case, it is up to the bank to tell you how much you may be liable for in case of fraudulent activity, according to their policy. It may range from $0 to unlimited. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Proposed CA certificate metapolicy - 7. threat models
7. Risks to typical Mozilla users should be assessed in accordance with a documented threat model based on the activities in which those users might tpically engage, e.g., online shopping and banking, using other access-controlled web sites and services, submitting personal information to companies and government agencies, exchanging personal email with others, downloading and installing new software on their personal systems, and comparable activities. Rationale: Risk analysis doesn't make sense in the absence of an agreed-upon threat model, and that threat model should be based on what users are actually doing in practice. This points out the difficulty of correctly analysing the threat model that is appropriate. Consider American credit card holders, versus non-Americans holding credit cards, as discussed recently here. Outside USA, most countries have laws on the books that put the banks in charge of fraudulent credit card transactions. Not so in America, it seems. So, a typical world user is covered - without risk - when using a browser to purchase goods (however they do it). Whereas a US user might face a risk of quite severe proportions (again, however they use the card). Which risk is a security modeller to pick? It's very tricky. For this reason, I'd say that trying to document a threat model might be harder than we think, as it may very well result in a different model depending on what country we are talking about. Which means that every criticism could be equally valid, and not valid at the same time. I often criticise the threat model used by SSL's original designers for including the MITM, without validating it; but, in the light of potentially huge credit card risks by US designers, it might be that it made more sense to them to go over the top in worrying about something they couldn't measure. I suppose the thing here is to try to create a threat model and see how far we get. Interesting task! iang ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
