On Wed, 28 Jul 2010 15:30:08 -0600 Paul Tiemann
<paul.tiemann.use...@gmail.com> wrote:
> > However, in discussing this at a high level, as though we could
> > improve things, we shouldn't kid ourselves about the current
> > model. It is fatally broken. Hanging garlands from the corpse's
> > ears will not convince anyone that it has a vibrant future ahead.
> "it will CLEARLY not solve the browser security problem."
> "the certifications made by even the best of those CAs are
> effectively MEANINGLESS" "the users are well trained to ignore
> EVERY browser warning they EVER get" "the ENTIRE question of OCSP
> is somewhat irrelevant." "spritzing the SKUNK with eau de cologne."
> "hanging garlands from the corpses ears."

I stand by all the things I said above, other than the apparent lack
of an apostrophe in "corpse's". I realize it isn't moderate language,
but on the other hand, my meaning is unmistakable.

> That's all expressed in very certain terms.

We've been watching the slow motion accident very closely for a couple
of decades now. If that isn't long enough to develop certainty, I
don't know how many years would suffice. To believe we can fix the
mess now would be to ignore twenty years of experience.

> Is OCSP _that_ hopeless?

I believe you misunderstand me. I'm not talking about OCSP.  I'm
saying the entire X.509 certificate infrastructure used in web
browsers is hopeless. OCSP is just one small hopeless component of a
hopeless whole.

(I don't think things are particularly better in other applications of
the system, but there are almost no other widely used applications
beyond code signing anyway. S/MIME and the rest are not merely dead
but nearly forgotten.)

There are multiple completely fatal flaws in the system. Any one of
them alone would suffice. To repeat just a few:

1) The user's security depends on the security of the worst CA in the
system. If there is any dispute about this, I would like to know on
what basis. There should be no dispute that CAs have certified things
they should not have, and will do so again. There should be no dispute
that some CAs have been sold and their keys subsequently passed around
under less than ideal circumstances. There should be no dispute that
not all CAs are what would be universally considered trustworthy

2) Users have been trained by too many false alarms to ignore all
browser warnings. If you don't believe me, there are fine papers about
what real users do when exposed to warnings, and they ignore
them. Users also have no real ability to understand the error messages
even if they did still care about them.

3) Revocation in the face of compromise is, as a practical matter,
nearly impossible.

4) CAs as a practical matter disclaim all liability and are not, in
fact, insuring anything in the sense of insurance.

5) The third party attestation idea is wrong as it does not properly
model the actual trust relationships and liability among the parties.

6) The entire idea of signed attestations that last for years is based
on a pre-Internet, largely offline model of security.

There is more, but why should we belabor it? The parrot is not pining
for the fjords. I'm only surprised that the nails have kept it
vertical for so long.

Perry E. Metzger                pe...@piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to