On 14/07/11 4:33 AM, Jeffrey Walton wrote:
On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald<jam...@echeque.com> wrote:
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft,
Microsoft have a big interest in bypassing the status quo, and they've
tried several times. But each time it isn't for the benefit of the
users, more for their own benefit, in that they've tried to rebuild the
security infrastructure with themselves in control. (recall .net,
InfoCard, Brands' patents, etc.) Nothing wrong with that, they have to
pay for it somehow.
This has proven ... a harder nut to crack than they envisage. But at
least they are trying, my hat goes off to them!
Opera, etc who knows? (If you work on, or have worked
on,
any of these browsers, I'd like to hear more about why it hasn't been
considered). I think it'll be a combination of two factors:
1. Everyone knows that passwords are insecure so it's not worth trying to
do
anything with them.
2. If you add failsafe mutual authentication via EKE to browsers, CAs
become
entirely redundant.
Indeed, if EKE is implemented in the most straightforward way, any page or
data that can only be accessed while logged in, is securely encrypted even
if accessed over http.
Free browsers are supported by CAs.
Well, not financially, more like the policy side is impacted by the CAs,
which are coordinated in a confidential industry body called CABForum.
This body communicates internally to Mozilla (being a member) and via
private comment by CAs to the CA desk.
Against that are a small and noisy but also uncoordinated group of user
representatives. As we're punching against an organised, paid opponent
that can't be seen, we don't get very far.
They (Mozilla, other vendors and the CAs) are in the process of raising
the standards yet again for CAs, on the back of various claimed breaches
of certs and rising angst against all security problems. Because they
have laid out their architecture, and because it makes money, they
aren't about to change it. But they are bedding it in.
The chances of them approving or agreeing to EKE are next to nil.
EKE enabled browsers would only be
supported by people needing secure logins, which form a less concentrated
interest, therefore an interest less capable of providing public goods.
I believe Mozilla is [in]directly supported by Google. Mozilla has
made so much money, they nearly lost their tax exempt status:
http://tech.slashdot.org/story/08/11/20/1327240/IRS-Looking-at-GoogleMozilla-Relationship.
I was also talking with a fellow who told me NSS is owned by Red Hat.
While NSS is open source, the validated module is proprietary. I don't
use NSS (and have no need to interop with the library), so I never
looked into the relationship.
Possibly, I haven't heard that. The problem with Mozilla security
coding is more this: most (all?) of the programmers who work in that
area are all employees of the big software providers. And they all have
a vested interest in working for the status quo, all are opposed to any
change.
(Not because they are bad or good, but because that's what they are paid
to do.)
(It doesn't help to offer help either; they have their ways of
rejecting any asymmetric help.)
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
