On 06/26/2011 05:58 PM, Ian G wrote:
On 26/06/11 5:50 AM, Ralph Holz wrote:
- you don't want to hurt the CAs too badly if you are a vendor
Vendors spend all day long talking internally and with other vendors.
Consequently, they tend to forget who holds the real money.
For most healthy vendors in a market economy, that's the customers.
Browsers seem to live on a planet without the usual market forces however.
In the case of Mozilla, 97% of their revenue comes "royalties"
http://www.mozilla.org/foundation/documents/mf-2009-audited-financial-statement.pdf
of which 86% is one contract. It's a safe bet that's probably Google.
That contract is said to expire in November, and Google now makes a
"competing" browser.
Google seems to care more about actual security than Mozilla. Last I
checked Mozilla didn't even bother to sign all the addons for their own
package system, whereas we see Google doing things like pinning their
own certs in the Chrome codebase.
Maybe that's because Google actually runs services that people use (e.g.
Gmail).
- it still means researchers won't get the numbers they need. And
the circle closes - no numbers, no facts, no improvements, other
than those subjectively perceived.
OK. So we need to show why researchers can benefit us with those
numbers :)
Because having a system that's credibly secure will increase
adoption among organizations with money.
You can't credibly claim to defend against earthquakes while keeping
seismic resiliency data secret.
(IMHO, the point is nothing to do with researchers. It's all to do
with reputation. It's the only tool we have. So disclosure as a blunt
weapon might work.)
Nothing undermines credibility and "trust" like public denials and secrecy.
CAs seem to think they can act like nuclear power plant operators or
something. But NPPs at least produce electric power! On the other hand,
every additional trusted root beyond the necessary minimum represents
pure risk.
The general public and those who defend networks understand the need to
take active network attacks seriously far more than than did just a year
or two ago.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
