Ian G wrote: > Hi Ram, Hi Ian!
> Ram A M wrote: > > >>I don't quite see how you can link these things that > >>you talk of - CRL/OCSP - to brand equity or reputation, > >>simply because a) CAs have no branding way to reach > >>the relying parties (users) and thus b) a very limited > >>way to convince purchasing parties (sites) of the need > >>to pay attention. > > > > > > The fact is that some if not all CAs are constantly engaged with large > > companies, platform providers, government agencies, and other concerned > > entities who have an interest in raising the bar for one reason or > > another. > > > Is that for real? Are any of these CAs talking > to platform providers about fixing the holes in > the browsers? It seems to me FIs are paying the price every day in hard cash - that's pretty motivating. I would have to assume they discuss their concerns with everyone they think might be able to help. I am confident that Netscape had many a talk with many a large FI during it's lifetime. > If I was a CA I'd be panicing by > now, because CAs are obvious targets when it > comes to phishing, and a class action jury isn't > necessarily going to follow all the ins and outs > of the CPS/CP and all that stuff. CAs have been targets for as long as they have been part of the gate-keeping system - that's a good argument in favor of requiring effective revocation support for the 'good enough for electronic banking' category of CAs and the code-signing category of CAs. I am many things, a lawyer is not one of them. My understanding is that best practices and best effort are very important criteria in law. That's part of why I think eventually software providers and CAs alike will be driven to quality with respect to security as well. > > Additionally a CA who is commited to a long term business > > based on trust is likely to do things to try and enable feedback loops > > to align with competition for trust. You won't find stronger > > back-office advocates for raising the bar than a commited CA. VeriSign > > puts a lot of money and resources into maintaining its operations and > > brand as trusted - that's no accident. > > > I'd suggest you avoid using the word 'trust.' It > will cause problems when someone calls you on it. Eh. I trust the local instance of a big-brand gas station to provide gas of a quality sufficient to keep my car happy. This is because I know they value their brand and their revenue, both of which are tied to reliability of their product. My trust in that gas station does not lead me to expect them to advise me that there is a defect in the brake-system design of my car, not unless they provide brake-system inspection services. I assume that most of the time I interact with reasonable people or companies and so I expect reasonable interpretations; when that's is not the case I am more much careful about my presentation. I don't feel this is a hostile environment over-ridden with pendantic arguments; if that changes I will change my style to suit. > >>This isn't the CAs' fault, and every > >>CA I have ever talked to understands that they are > >>powerless to develop their brand and thus their features > >>of quality of service until the browsers play their part. > > > > > > I don't think our product marketing guys would agree with that. > > > OK! Ask them if they would like to reach out to the > users of browsers? I'm curious what reason they would > give for not wanting that. I'd love to learn what > their real insiders' view of the brand is, aside from > the normal "our brand is our asset and we protect it > strongly blah blah..." They have, they do, they will. I would surprised to learn of a large brand that doesn't. > >>But until that happens, any talk about CA brand is just > >>hypeware as far as I can see. > > > > > > I certainly agree that the end user is not very well empowered but > > market research has shown consistently over the years that VeriSign is > > a trusted brand on the internet, more so than some of the largest real > > world brands. > > > ! Well, there you go. As VeriSign has no way to > reach ordinary users in the operations of its product, > I'm not sure what the market research would test. I said "not very well empowered" you said "no way." We may genuinely disagree about this. I think those little logos on websites make a differnce to people - that's the effect of brand. Notice I said "a difference", not perfect anything, this is not the end state but only the current state in what I believe is still a relatively nascent infrastructure. > >>So, I'd suspect that brand and reputation are not useful > >>reasons behind CRL/OCSP work, as yet. It may have a > >>strategic future, but that's for the futuroligists. > > > > > > I agree that in the grey area of "useful" it is not as useful as it > > will be "as yet." Strategy is all about planning to reach your goals. > > As MoFo has a goal of making the user safer the use of strategy is > > appropriate; I suppose this is a futurologistic debate :p > > > It is, and I'm somewhat surprised that nobody's called > me on it before ;) This is a very strategic debate, it's > about what happens in the next wave of phishing, where > CAs have to face threats. I think the larger CA operators would claim they do face threats every day. Do you have any data on the enrollment rejection rates? > With any luck there will be > some defences in place. If it were to start today, I'd > think we'd have big problems. I kind of agree. I think if phishing were 20x more popular we would see MoFo et al rushing to either decimate the root-lists or create distinctions based on practical differences such as authentication and revocation qualities. > >>Of course, we have fraud out there, that's what the > >>revocations are intended to stop. So it is a simple > >>matter of measuring how much fraud is out there, then > >>working backwards from that to work out how many fraud > >>transactions are blocked by the revocations that actually > >>get through to the relying parties. > > > > > > Yep. I agree that lower latency of revocation increases value such the > > CRLs that are updated more frequently or OCSP responses that reflect > > more current status are useful from a practical perspective. > > > Sure, once we have some basic figures on how much > fraud these things stop, one can look at the benefit > of tuning. Until those figures are in, however, I > wouldn't advise too much tuning, that would be > premature optimisation. No offense but I hope the MoFo community disagres with you. From my perspective your comment seems to require that until this kind of analyses is provided or becomes available to MoFo that it should only respond and not lead. I can agree with you that conservation of resources is worthy and that doing something jsut for the sake of not doing nothing is a poor idea. However I think there is a strong and obvious case for valuing revocation checking. > Right now, it's a catch up game - catching up > with the phishing. > > This has the benefit of having a really clear target. > Fix phishing. Doesn't get much clearer than that. > > But it does mean that the market is moving and Mozilla > has a clear choice - react now as it sees it move, or > react too late, and then pay the penalty. The other > thing that is very clear is that the next milestone > is "this summer" when Microsoft releases its anti- > phishing release of IE. Better have a good story > to tell by then, just in case Microsoft surprise us > all and get it right. "Get it right" sounds a lot like perfect to me. I think there is value to making imperfect progress. That doesn't require MoFo doing something which eliminates phishing, unless you want the same strategy for phishing that folks are pursuing for spam [hold on, someone will come up with a perfect solution that eliminates all spam, protects individual privacy, costs nothing, and has no phase-in problems]. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
