Ian G wrote, On 2008-10-19 15:17:
> Nelson B Bolyard wrote:

>>  KCM would have accepted those certs without any complaint.
> Ahhh, not exactly!  With KCM, it is not up to it to accept any certs
> any time:  unfamiliar certs are passed up to the user for validation.

Yes, but the users are conditioned to accept all certs upon initial

I used to think SSH's KCM model was pretty good, until someone (it was
You, actually) opened my eyes to the fact that users do not attempt to
verify key correctness, do not attempt to do out-of-band verification of
key "thumbprints" or any other reasonable verification, but instead merely
always assume that the key they get is valid, the first time they connect
to the server.  When I learned that, I contacted many people who were SSH
aficionados, and they all confirmed the truth of that situation that had
been too horrible for me to even imagine until it was told to me.

So, today, I equate KCM with accepting all keys at face value, upon first
contact.  That's just what the victim in bug 460374 did.  I would not say
that it served her well.

> If the user does not validate, then she has done a bad thing.  

Um, er, well, in this case, she would have done a GOOD thing, no?

>> And don't forget the Debian key generator.  It showed us that a serious
>> flaw in KCM is the complete lack of any revocation mechanism.
> Not sure about that one?  Do you mean all the SSH servers that were
> exposed to compromise because of the Debian OpenSSL random snafu?

Yes.  And the 10MB file that SSH users must now drag around containing
all those bad keys, since there is no service to which they can turn for
revocation help.

> Even the nice low $$$ cost of a Startcom cert -- free! -- isn't going to
> wrest them away from their precious KCM, and for good reason: for that
> particular application, revocation isn't worth the costs that it would
> add to the solution.

That 10MB file that they all must drag around now is an ongoing cost
of the solution.  It's a back breaker for browsers, more than doubling
the size of the browser download to include that file.

>> I want to drive a stake through the heart of something, too.
>> Can you guess what it is?

> This one I can guess [1] :)
> [1] but I couldn't guess the one in your essay!

I'm quite curious!  What would you guess instead?

> If the user does not validate, or validates badly, then the world
> will eventually drift to failures.

And you have taught me well that users simply do not validate, but
merely accept all server keys at face value on initial contact.

dev-tech-crypto mailing list

Reply via email to