Frank Hecker wrote: ...
(mild distraction into the arcania of history)
History: The model has not always been binary. In Netscape Navigator 3, the browser used a key icon that had 3 states: - broken - short, with one tooth - long, with two teeth. Two teeth meant "good enough for banking", and one tooth meant "better than nothing, but not good enough for banking".
A minor correction, but IMO a pertinent one: one tooth actually meant "encrypted using a 40-bit symmetric key" and two teeth meant "encrypted using a 128-bit key". Equating that distinction to "not good enough for banking" vs. "good enough for banking" was an after-the-fact interpretation, an interpretation that was to some extent subjective. And in any case the question of key length was orthogonal to the question of "high assurance" certs vs. "low assurance" certs.
Ah... the Cryptowars, the good old days :-D In my dreams I think of ways to restart the crypto wars, when crypto meant something and people worked on crypto for the spirit of security.
Coming back to reality, that whole 40-bit key thing was nothing to do with banking. It was all to do with the crypto export restrictions, and banking was seized upon as a convenient and hard-to-refute excuse that tongue- tied the average White House bureaurat.
40-bit crypto was fine for banking and probably still is, as we lack any viable threat model for eavesdropping, and the costs and risks associated with crunching one session don't equate with the profit. (Peter Gutmann reports that the cost of stolen credit card information is down less than a buck, so to make crypto-crunching viable, you have to crunch at substantially less than a buck, including all risks **.)
Also note that, as has been exhaustively discussed, there is way less strength in the certificates arm of the HTTPS secure browsing model, with a $30 cert being easy to obtain, and being amortised over thousands of phishes, so while there is potentially a Pareto-secure improvement in going from 40 bits to 128 bits, it isn't worth paying any dosh for.
Still, both points to some extent are valid: we can have a ternery security model again if we want to (Nelson's point) and we just have to decide what those 3 points are (Frank's point).
iang
** Sorry about the PDF... http://www.cs.auckland.ac.nz/~pgut001/pubs/dammit.pdf -- News and views on what matters in finance+crypto: http://financialcryptography.com/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
