In listening to this thread hearing all the hyperbole on both sides, I would suggest that we may need more fuel to the fire.

There was a rump presentation at the recent Crypto on the use of "Ceremonies" (which, pardon my misstatement in advance, is claimed to be computer protocols with the humans included). The presentation states, "Design a great protocol, prove it secure; add a user, it’s insecure". This specifically discusses SSL.

The entire rump session is at
   http://www.iacr.org/conferences/crypto2005/rumpSchedule.html

scroll down to
   Ceremonies by Carl Ellison

The presentation and video
   http://www.iacr.org/conferences/crypto2005/r/48.ppt
   http://www.iacr.org/conferences/crypto2005/r/48.mov

The video is about 50MB.

Thanks

jim

On Aug 28, 2005, at 10:32 PM, James A. Donald wrote:

    --
From:               Dave Howe <[EMAIL PROTECTED]>

2) Google got into the CA business; namely, all
GoogleMail owners suddenly found they could send and
receive S/Mime messages from their googlemail
accounts, using a certificate that "just appeared" and
was signed by the GoogleMail master cert. Given the
GoogleMail user base, this could make GoogleMail a
defacto CA in days.

3) This certificate was downloaded to your GoogleTalk
client on login, and NEVER cached locally

Ok, from a Security Professional's POV this would be a
horror - certificates all generated by the CA (with no
guarantees they aren't available to third parties) but
it *would* bootstrap X509 into common usage,


That horse is dead.  It is not going into common usage.

SSL works in practice, X509 with CA certs does not work
in practice.  People have been bullied into using it by
their browsers, but it does not give the protection
intended, because people do what is necessary to avoid
being nagged by browsers, not what is necessary to be
secure.

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     mQ0rM7wYdVTuoeMRUcrpDc1V9pUqhEgUmJMtyCZZ
     469u1yKDDCKWaUWwU/LYyE/7CVNRZV7OjXCs+Kyyc



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to