In listening to this thread hearing all the hyperbole on both sides, I would suggest that we may need more fuel to the fire.

There was a rump presentation at the recent Crypto on the use of "Ceremonies" (which, pardon my misstatement in advance, is claimed to be computer protocols with the humans included). The presentation states, "Design a great protocol, prove it secure; add a user, it’s insecure". This specifically discusses SSL.

The entire rump session is at

scroll down to
   Ceremonies by Carl Ellison

The presentation and video

The video is about 50MB.



On Aug 28, 2005, at 10:32 PM, James A. Donald wrote:

From:               Dave Howe <[EMAIL PROTECTED]>

2) Google got into the CA business; namely, all
GoogleMail owners suddenly found they could send and
receive S/Mime messages from their googlemail
accounts, using a certificate that "just appeared" and
was signed by the GoogleMail master cert. Given the
GoogleMail user base, this could make GoogleMail a
defacto CA in days.

3) This certificate was downloaded to your GoogleTalk
client on login, and NEVER cached locally

Ok, from a Security Professional's POV this would be a
horror - certificates all generated by the CA (with no
guarantees they aren't available to third parties) but
it *would* bootstrap X509 into common usage,

That horse is dead.  It is not going into common usage.

SSL works in practice, X509 with CA certs does not work
in practice.  People have been bullied into using it by
their browsers, but it does not give the protection
intended, because people do what is necessary to avoid
being nagged by browsers, not what is necessary to be

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to