Ian G wrote: > Ram A M wrote: > > Ian G wrote: > I don't quite see how you can link these things that > you talk of - CRL/OCSP - to brand equity or reputation, > simply because a) CAs have no branding way to reach > the relying parties (users) and thus b) a very limited > way to convince purchasing parties (sites) of the need > to pay attention.
The fact is that some if not all CAs are constantly engaged with large companies, platform providers, government agencies, and other concerned entities who have an interest in raising the bar for one reason or another. Additionally a CA who is commited to a long term business based on trust is likely to do things to try and enable feedback loops to align with competition for trust. You won't find stronger back-office advocates for raising the bar than a commited CA. VeriSign puts a lot of money and resources into maintaining its operations and brand as trusted - that's no accident. > This isn't the CAs' fault, and every > CA I have ever talked to understands that they are > powerless to develop their brand and thus their features > of quality of service until the browsers play their part. I don't think our product marketing guys would agree with that. > But until that happens, any talk about CA brand is just > hypeware as far as I can see. I certainly agree that the end user is not very well empowered but market research has shown consistently over the years that VeriSign is a trusted brand on the internet, more so than some of the largest real world brands. As I've said I think that as the system matures the market will pressure software providers to improve the user's 'safety' and that will put pressure on commercial software providers (especially those with deep pockets) to raise the bar on CAs. The only concern I have is that there is a race between that pressure that the perception of safety. Depending on the outcome of the race we will either have a market that is regulated by free-market feedback (because the technology is aligned with the value such that feedback mechanisms work) or we will have a market that is regulated by public agency. Personally I think "we the people" are better off with the former even if, in the short term (and to your point), my employer is better off with the latter. > (This point comes out in the TrustBar paper where they > tested the brand recognition, and even Verisign flunked > the test.) I love TrustBar and have a tremendous amount of respect for the work Amir and co. have done. I think they've drawn some good conclusions and improved the safety of their 'customers.' None the less I don't agree with that conclusion. > So, I'd suspect that brand and reputation are not useful > reasons behind CRL/OCSP work, as yet. It may have a > strategic future, but that's for the futuroligists. I agree that in the grey area of "useful" it is not as useful as it will be "as yet." Strategy is all about planning to reach your goals. As MoFo has a goal of making the user safer the use of strategy is appropriate; I suppose this is a futurologistic debate :p > > I don't know, that information is by and large available by looking at > > CRLs - at least for the public CAs. > > > Google found them in one hit :) Unfortunately, even > though there are some very big files there, they are > in binary, so not easy to count the number of entries, > nor skim them for applicability. It's easy enough to estimate. CRLs basically have a strict format, a realtively small header and then a list of serial numbers. Since VeriSign uses what appears to be random serial numbers (one strategy against hash algorithm collisions) that are fixed in length one could deduce the number of revocations. Alternatively tools like OpenSSL or the Windows native UI will allow you to count or page through lists of serial numbers (not recommend to do this via paging - it's more than 100 per year). Not sure what you mean by applicability. > Of course, we have fraud out there, that's what the > revocations are intended to stop. So it is a simple > matter of measuring how much fraud is out there, then > working backwards from that to work out how many fraud > transactions are blocked by the revocations that actually > get through to the relying parties. Yep. I agree that lower latency of revocation increases value such the CRLs that are updated more frequently or OCSP responses that reflect more current status are useful from a practical perspective. > Nothing's perfect, we will see a failure rate in there, > where something didn't work out and a fraud got through. > It's probably a benefit of it can reach 50% savings. > If it was only 10% savings I'd be skeptical of its value, > and if it was 90% it would be miraculous. > > But somewhere between those numbers would be grand, this > would be a solid working number that said to Mozilla, > yes, we can hang a hat on this. We can say that the > attention paid to CRLs is definately something to bring > to our users in a positive discriminatory fashion. I try hard to recognize that I have a CA hat in my closet. I'll say that with or without my hat I want to see software providers innovate rather than react. One of the reasons I value this debate in nmp* is that I think through debate we can reach consensus on improvements, hopefully proactive improvements even if they are imperfect. I assume that's more or less universal in npmc & npms. > > Well one approach to valuing it is to ask how much it's worth to shut > > down a phishing site after two hours instead of a day or three. I think > > the lower the up-front authentication the more important revocation > > becomes; this assumes the authentication is valued or leveraged. > > > Right, that's the sort of calculation we need. That > would be a perfect example for Mozilla to bring to its > users. > > ( But, until Firefox forces the phishers to use > certs, that is a hypothetical. I saw an SSL phish > once about 2 years back and followed it through for > the investigative experience ... but nobody else has > seen them to my knowledge. I would cheer the day we > say more of them, it would mean we would be making a > difference. ) > > So maybe the answer is that until SSL phishing starts > we cannot determine the value of CRLs and thus they > cannot be used as a way to determine "low"/"hi" assurance? I think it's better to help craft the future by making improvements today. The difference is the driver, the good guys or the bad. The way I see it the good guys outnumber the bad by orders of magnituted and therefor small practical improvements by the good guys (in parallel) makes for more rapid change towards their goal. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
