Eric, thanks for your reply!
My point is strictly limited to something approximating "there was no threat model for SSL / secure browsing." And, as you say, you don't really disagree with that 100% :-) With that in mind, I think we agree on this: > >  I'd love to hear the inside scoop, but all I > > have is Eric's book. Oh, and for the record, > > Eric wasn't anywhere near this game when it was > > all being cast out in concrete. He's just the > > historian on this one. Or, that's the way I > > understand it. > > Actually, I was there, though I was an outsider to the > process. Netscape was doing the design and not taking much > input. However, they did send copies to a few people and one > of them was my colleague Allan Schiffman, so I saw it. OK! > It's really a mistake to think of SSL as being designed > with an explicit threat model. That just wasn't how the > designers at Netscape thought, as far as I can tell. Well, that's the sort of confirmation I'm looking for. From the documents and everything, it seems as though the threat model wasn't analysed, it was just picked out of a book somewhere. Or, as you say, even that is too kind, they simply didn't think that way. But, this is a very important point. It means that when we talk about secure browsing, it is wrong to defend it on the basis of the threat model. There was no threat model. What we have is an accident of the past. Which is great. This means there is no real objection to building a real threat model. One more appropriate to the times, the people, the applications, the needs. And the today-threats. Not the bogeyman threats. > Incidentally, Ian, I'd like to propose a counterargument > to your argument. It's true that most web traffic > could be encrypted if we had a more opportunistic key > exchange system. But if there isn't any substantial > sniffing (i.e. the wire is secure) then who cares? Exactly. Why do I care? Why do you care? It is mantra in the SSL community and in the browsing world that we do care. That's why the software is arranged in a a double lock- in, between the server and the browser, to force use of a CA cert. So, if we don't care, why do we care? What is the reason for doing this? Why are we paying to use free software? What paycheck does Ben draw from all our money being spent on this "i don't care" thing called a cert? Some people say "because of the threat model." And that's what this thread is about: we agree that there is no threat model, in any proper sense. So this is a null and void answer. Other people say "to protect against MITM. But, as we've discussed at length, there is little or no real or measurable threat of MITM. Yet others say "to be sure we are talking to the merchant." Sorry, that's not a good answer either because in my email box today there are about 10 different attacks on the secure sites that I care about. And mostly, they don't care about ... certs. But they care enough to keep doing it. Why is that? Someone made a judgement call, 9 or so years ago, and we're still paying for that person caring on our behalf, erroneously. Let's not care anymore. Let's stop paying. I don't care who it was, even. I just want to stop paying for his person, caring for me. Let's start making our own security choices? Let crypto run free! iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]