Ian, you and I have discussed this before, so I'll just make a few comments.
[EMAIL PROTECTED] (Ian Grigg) writes: > Problem is, it's also wrong. The end systems > are not secure, and the comms in the middle is > actually remarkably safe. > > (Whoa! Did he say that?) Yep, I surely did: the > systems are insecure, and, the wire is safe. As you know, I think it's more in the middle. As I've mentioned before, password sniffing was a real problem before SSH. I totally agree that the systems are insecure (obligatory pitch for my "Internet is Too Secure Already") http://www.rtfm.com/TooSecure.pdf, which makes some of the same points you're making, though not all. > And, it's wrong. There are, then, given these > stated assumptions, three questions: > > 1. why was it chosen? I think it was chosen for two reasons: (1) It actually was once a viable threat model, especially for military and financial communications, where the end systems were secure. (2) It's a problem we know how to solve. I don't think that solving the problems one knows how to solve is always a bad thing, as long as they're real problems. What's not clear is how real they are. > Designers of Internet security > protocols typically share a more > or less common threat model. > > It's para three, section 1.2. And, it is of course, > famously not true . > > SSH is the most outstanding example of not sharing > that threat model . In fact, it's fair to say > that most Internet security protocols do not share > that threat model, unless they happen to have > followed in SSL's footsteps and also forgotten to > do their threat model analysis. This isn't strictly true. IPsec and S/MIME use the same threat model, for instance. And even SSH mostly adopts it, since there's actualy a fair amount of concern about active attack after the first leap of faith. One could, after all, just use encryption with no message integrity at all. >  I'd love to hear the inside scoop, but all I > have is Eric's book. Oh, and for the record, > Eric wasn't anywhere near this game when it was > all being cast out in concrete. He's just the > historian on this one. Or, that's the way I > understand it. Actually, I was there, though I was an outsider to the process. Netscape was doing the design and not taking much input. However, they did send copies to a few people and one of them was my colleague Allan Schiffman, so I saw it. It's really a mistake to think of SSL as being designed with an explicit threat model. That just wasn't how the designers at Netscape thought, as far as I can tell. Incidentally, Ian, I'd like to propose a counterargument to your argument. It's true that most web traffic could be encrypted if we had a more opportunistic key exchange system. But if there isn't any substantial sniffing (i.e. the wire is secure) then who cares? -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]