Frank Hecker wrote:
Ian G wrote:
There are two approachs with the padlock, as you suggest:
the high road and the low road. The problem with the low
road is that nobody is happy with the perception of
lowered security. The problem with the high road is that
VeriSign aren't going to agree that Comodo's high-ass certs
are as good as the VeriSign ones.
Of course not, but that's their problem, not ours.
Actually, it's the user's problem, and therefore Mozilla's
problem (assuming an implicit goal, so that's debateable).
As Mozilla provides no way to show the user easily whether
the cert is a high assurance one from Verisign as opposed
to the Comodo alternate, we are again left with the lowest
common denominator - VeriSign is offered no incentive to
improve theirs beyond the minimum needed. So they'll all
be "just enough to clear the bar" and in some cases they
won't clear the bar, but nobody notices. The result will
be anything but high assurance.
We (the browser
vendors) could easily make a determination that a "high-assurance" cert
from CA Foo is equivalent to a "high-assurance" cert from CA Bar, at
least as far as typical users are concerned. See my next message for a
strawman proposal to do exactly that.
Responded :)
Of the two, I'd prefer the low road: padlock signifies
that a TLS connection is in place.
I think this matches the "pure view of TLS". The purpose
of the cert is to simply stop the MITM, so the domain needs
to be checked only. Hence Ram's "control-of-domain" term.
But IMO your "pure view" of certs as an anti-MITM defense is just as
much an idealization as the "pure view" that certs prove identity. I
Well, maybe pure is the wrong word - how about "minimalist view" ?
think the reality is rather that for typical users the padlock simply
means "it's OK to send my cherished personal information", no more and
no less.
Ah. That I don't see. See my #1.
There is an even further step beyond, which might be called
"the trust view." That is, if the padlock is on, you can
trust... This is hopeful at best and will lose the client
money at worst, simply because trust is an undefined concept,
and thus is oversold. In the security community these days,
we tend to perceive the word 'trust' as snake oil; if you
can't describe your claims without using the word trust, it
is likely you don't know what your claims are, and you are
just hoping the listener doesn't notice.
Snake oil or not, I think the "trust view" is exactly what typical users
hold, for better or worse. (And I might add that just because a concept
is slippery and ill-defined doesn't mean it is wholly without validity
or use in real life.)
Certainly what you say as to validity is true. But, when
we cannot define it and it slips through our fingers, by
what theory are we to change it?
Which still leaves (sorry to bring this up) the
oddball meaning of a self-signed cert. Where this gets
interesting is that when it first appears, it signifies
a secure connection albeit with a minor risk of MITM.
But, if the user then accepts that connection, and if
she could record that acceptance, then follow-on connections
would potentially deserve the padlock. Still, let's ignore
that for now...
See my next message for how I'd propose to treat self-signed certs.
(Short answer: better than we do now, with all the alarming warning
dialogs, but not as you'd like them to be.)
Sure. Just to clarify, in the scheme of things, there
are bigger phish to fry than self-signed certs, IMO. I
think they do make a rather interesting edge case by
which to test any proposal though.
Frank
P.S. Apropos of these discussions, there's an interesting post by Clay
Shirky (ostensibly on the subject of the "Wikipedia vs. Encyclopedia
Brittanica" debate) that posits two classes of people: "radialists" and
"Cartesians":
http://www.corante.com/many/archives/2005/03/09/one_world_two_maps_thoughts_on_the_wikipedia_debate.php
I read this initially as you accusing me of not being a radicalist :)
After reading it I realized that I am a "radialist" at heart, while I
suspect you are a "Cartesian" (as are certain others on this group as
well). I am interested in incrementally improving the situation in which
we (browser vendors, CAs, and end users) find ourselves, without
necessarily achieving ending up in some posited ideal end state. My next
message ("Strawman proposal for SSL UI changes") is an example of this
approach in action.
I think there is a place for the "Cartesian" approach, but I think in
practice it will prove to be outside the traditional SSL/TLS/PKI domain.
OK, here's what I see. My proposal is cartesian, definately.
In that this whole thing has been bounced around some of the
best minds in the security business, and we've definately got
a view as to where we want to end up. We've got some experimental
research backing it up, and we now have a collected set of works
addressing each of the points. We've also worn down the opponents
and noticed that they are now pushing the vision :)
How we get there - the radial view - is beyond our scope. We,
the crypto / security community in general, cannot definately
say how to get there because we don't know where here is; we
are actually outside the framework of any given actual security
system.
To put it in product terms, the model that is espoused (user
engagement, petnames, branding, caching, logos, etc) is valid
for all browsing systems based on the CA/PKI model. The
model is applicable for Microsoft, Konqueror, Opera, and of
course Firefox.
How to implement it in the Firefox world is beyond my reach,
though. I'm not inside the Firefox world, nor inside the
security team, nor even inside Mozilla. The job of radiating
from here to there is something those on the inside have to
work out, if the so choose to go that path.
The best we can do on the outside is present that end point,
and describe why we think that's the place to head for. As
I often write, the little incremental steps there - the yellow
bar and status domain are exactly those - are very welcome.
"That's great, more please!"
iang
PS: another big distinction is that it's not about people,
but about interests - when I run my teams, I am a radialist,
in the terms above, because I'm paying for the changes.
Cartesian shifts are incredibly expensive, and I would
generally treat such as a sacking offence. But that's
when I am responsible for the deliverables.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
