Ian Grigg <[EMAIL PROTECTED]> writes: > I'm sorry, but, yes, I do find great difficulty > in not dismissing it. Indeed being other than > dismissive about it! > > Cryptography is a special product, it may > appear to be working, but that isn't really > good enough. Coincidence would lead us to > believe that clear text or ROT13 were good > enough, in the absence of any attackers. > > For this reason, we have a process. If the > process is not followed, then coincidence > doesn't help to save our bacon. Disagree. Once again, SSL meets the consensus threat model. It was designed that way partly unconsciously, partly due to inertia, and partly due to bullying by people who did have the consensus threat model in mind. That's not the design process I would have liked, but it's silly to say that a protocol that matches the threat model is somehow automatically the wrong thing just because the designers weren't as conscious as one would have liked.
> (No, it's a double-lock-in, or maybe more. It's > a complex interrelated scenario.) > > Here's specifically what the server does: When > it is installed, it doesn't also install and > start up the SSL server. You know that page > that has the feather on? It should also start > up on the SSL side as well, perhaps with a > different colour. > > Specifically, when you install the server, it > should create a self-signed certificate and use > it. Straight away. No questions asked. I would hardly characterize "Failure to do something Ian wants done automatically" as "lock-in". It's not like it takes a genius to type "make cert". You'd get a lot less argument from me if you'd tone down the hyperbole a bit. > > And on the client side the user can, of course, click "ok" to the "do > > you want to accept this cert" dialog. Really, Ian, I don't understand > > what it is you want to do. Is all you're asking for to have that > > dialog worded differently? > > > There should be no dialogue at all. Going from > HTTP to HTTPS/self signed is a mammoth increase > in security. Why does the browser say it is > less/not secure? Because it's giving you a chance to accept the certificate, and letting you know in case you expected a real cert that you're not getting one. > > It's not THAT different from what > > SSH pops up. > > > (Actually, I'm not sure what SSH pops up, it's > never popped up anything to me? Are you talking > about a windows version?) SSH in terminal mode says: "The authenticity of host 'hacker.stanford.edu (18.104.22.168)' can't be established. RSA key fingerprint is d3:a8:90:6a:e8:ef:fa:43:18:47:4c:02:ab:06:04:7f. Are you sure you want to continue connecting (yes/no)? " I actually find the Firebird popup vastly more understandable and helpful. -Ekr -- [Eric Rescorla [EMAIL PROTECTED] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]