Again, I think Nelson brings up points better off transferred to the wider forum rather than within the narrow context of the bug.
[EMAIL PROTECTED] wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=286107
------- Additional Comments From [EMAIL PROTECTED] 2005-03-16 13:33 PST -------
Above, I didn't mean to accuse Ian of any wrongdoing, and in retrospecet I see
that what I wrote could be construed to imply that I did. I only mean that
the suggestion that we need a solution to a problem of untrustworthy CAs will
influence some (who are not fully aware of the current CA trust policies) to imagine that this is a problem that exists today, and to persue solving this
non-problem. I think we should focus instead on the problem at hand.
Certainly I try and separate the people from the discussion, that's why I'm boringly dogmatic in stressing (my) goal in this discussion. As to whether "we need a solution to the problem of untrustworthy CAs" I also addressed that in the previous post so won't repeat it here.
I do not think that security policy should be decided entirely democratically,
nor that we should relax out standards so that they no longer exceed the average person's understanding of the issues.
The standards are there to spread the knowledge of a complex subject, where coordination is needed. Often people will follow standards as a rule set because it is far easier to do that than to figure out what to do everytime a question arises.
Yet standards can get out of date. And standards are in place for the norm, not the exception. As we have here a situation which (I assert) is in crisis / epidemic proportions then the standard may be expected to bend or even need to be replaced entirely.
I am afraid that this issue is going to be (unduely, IMO) influenced by the sheer volume of words exxpressed on on side of this discussion.
It's a complex subject. As written voluminously, browsing is in crisis. What lesser volume could we write to get some attention on that point?
This isn't a matter of blindly following standards and RFCs. There is a large community of security cognoscenti who are all behind PKI. I respect
their collective judgements. However they do not speak much in mozilla's forums and bug reports. Mozilla's forums do hear a lot of the dissenting
opinion, however, and it is possible for someone whose only understanding
of the issues comes from these forums to conclude that these dissenting opinions are the majority opinions, the opinions of the experts. This is
how cults operate, the members hear only one view.
OK, that's a serious issue and I'll address it.
The reason Mozilla's forums hear a lot of dissenting opinion is twofold. Firstly, Mozilla happens to represent the great white hope of the browsing world. It's growing rapidly, and therefore can expected to have some heavy effect on the marketplace. It's also open source, it's also got the only open security forum in the business (this group). This is the only place you can find any security representation - you, Frank, Bob, Julian, David, sorry for missing anyone out - so, yes, you are point men on the browser security community for every other browser by default. Sorry about that :)
Secondly, the reason the dissenters are dissenting is because they have thought about it, and in general they can see the flaws. But more importantly you will find that the dissenters have no bias towards the model. I for example make zero bucks one way or the other. Peter Gutmann makes a bit of dosh selling his toolkits on occassion, but he might make more money by being solid and truthful about flaws than sounding like he's selling used cars as do most security tool sellers do. Bruce Schneier, another frequent critic, makes no money as he has his own company. Dan Geer, another critic, has lost his job over telling the truth, so I guess maybe he has got a bias now :)
OTOH, you won't find RSADSI or Verisign here dissenting because they almost certainly sell a PKI toolkit, and their not likely to commit commercial suicide just to maintain some academic integrity.
Which brings us to your next point - the large security community who are behind PKI. Historically this was a fair assessment, but I think it is changing. It might be the time to ask for opinions on that, to re-open the question of just who is solidly "behind PKI" without question. Over on the cryptography group I'd say that more than half would now question PKI and easily more than half would say that PKI as it is setup in HTTPS/ secure browsing contributes to phishing, as well as forms the basis for its solution. Yes, you don't get out of this one by just reciting security wisdom and RFCs...
Over in the marketplace, the market for PKI has been in the doldrums for a few years, and I really don't want to print what the average *purchaser* thinks about it.
I simply want the readers of this bug to be sure that they're solving the real problems today, not the problems of some hypothetical situation that we are not in, and to be aware that the views so voluminously expressed by a few in mozilla forums may not be representative of the majority view of
security experts, nor of the larger mozilla user community (who do not
participate in these forums).
Well, let's hear from these security experts? Or, here's an easier one: can we find or identify any CAs and their experts who will come forth and agree with your pov? The ones I've talked to privately have all agreed that we need more browser gfx, more CA branding, they all love the TrustBar thing, and they want more ways to compete against more certs.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/_______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
