RE: Certificate / CPS issues
I can not simply, they could be fake, and there is no establishment of trust, especially if the keystore component is written by Microsoft. Why are keystore components written by Microsoft peculiarly unworthy of trust? The procedures used to determine the list of certification authorities in Windows XP, Internet Explorer and other Microsoft products are documented at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/news/rootcert.asp -- Christian Huitema
Re: Engineering to deal with the social problem of spam
everyone-- Here's a silly idea: let's try adding an option for hashcash to APEX. (Or has someone already done that?) If the problem with hashcash is that worms can steal CPU cycles to generate hashcash, then let's attack the problem of worms separately from the problem of spam suppression. If the problem with hashcash is that poor people are taxed more heavily than rich people for the utility of spam suppression, then-- well-- they should upgrade their CPU's, now shouldn't they? And as for those too poor to keep their CPU's current, Let Them Eat SMTP. They clearly have an unhealthy interest in paying to receive MAKE MONEY FAST spam, so we should encourage them to continue using SMTP anyway. The Internet interprets censorship as damage and routes around it. Let SMTP continue to serve the useful function it serves: carrying spam messages. -- j h woodyatt [EMAIL PROTECTED]
Re: Certificate / CPS issues
Haren writes: Some CA has sold their private key to get out of bankruptcy. Which one?
RE: Certificate / CPS issues
--On Tuesday, 10 June, 2003 09:12 -0700 Christian Huitema [EMAIL PROTECTED] wrote: The procedures used to determine the list of certification authorities in Windows XP, Internet Explorer and other Microsoft products are documented at: http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/news/rootcert.asp Christian, Others may respond differently, but I found one part of this very interesting. The text says, in part: When a user visits a secure Web site (that is, by using HTTPS), reads a secure e-mail (that is, S/MIME), or downloads an ActiveX control that uses a new root certificate, the Windows XP certificate chain verification software checks the appropriate Windows Update location and downloads the necessary root certificate. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes. Suppose a user has sufficient expertise and desire to make individual evaluations of which CA certs to accept and from what CAs. With the earlier model, she could look through the list, adding and deleting root certs according to her preferences and using Microsoft's acceptance of a given cert as a guide (to whatever extent she saw that as appropriate). Now, if I read this correctly, there is no more choice: any cert accepted by Microsoft is automatically trusted by the desktop software and the user can't say, e.g., I know that XYZ Corp, who met Microsoft's criteria, was just bought out by ABC Corp; I believe that ABC are scum and don't want to trust any cert issued by any subsidiary of theirs, even if it was issued pre-merger. Conversely, if I'm part of an enterprise that issues its own certs for internal purposes, it doesn't look as if I can make those certs usable in the XP environment, since such internal certs don't satisfy the broad business value to Microsoft platform customers criterion and hence will not be accepted by Microsoft for use in the specified environment. I hope this is only part of the story, and that user options to accept some certs (even if they are not accepted by Microsoft) and reject others (even if they are accepted by Microsoft) still exist in some usable form. regards, john
Re: Certificate / CPS issues
John writes: Now, if I read this correctly, there is no more choice ... You read incorrectly. Default behavior is not mandatory behavior. Conversely, if I'm part of an enterprise that issues its own certs for internal purposes, it doesn't look as if I can make those certs usable in the XP environment, since such internal certs don't satisfy the broad business value to Microsoft platform customers criterion and hence will not be accepted by Microsoft for use in the specified environment. You read incorrectly, again. You can add any certificates you want to your machines. You just can't get Microsoft to make them publicly available for distribution by MS without convincing them that doing so is worthwhile for Microsoft, which makes perfect sense. I hope this is only part of the story, and that user options to accept some certs (even if they are not accepted by Microsoft) and reject others (even if they are accepted by Microsoft) still exist in some usable form. They do. Look under Internet Options in Internet Explorer.
Re: Certificate / CPS issues
Anthony, I asked Christian for a reason. This appears to be relatively new. It isn't clear, from either the article or his note, how much of it is deployed already.It is linked, the article says, to Win XP and not to IE -- there are different procedures, it says, for IE under Win 2000, ME and earlier than are proposed (apparently going forward) for XP. It strongly implies that, if there are options to control this, they are (will be?) Windows options, not (specifically) IE options (although IE might well be able to access them).I don't have a copy of Win XP here, much less one with this kit installed, so I have no idea whether there is an easily-accessible option that permits turning ask me before installing a cert on, or what information that question provides. The article might lead a reasonable person to believe that those things had been turned off, with no options available to the casual user, in the interest of a good user experience (something I can certainly make a case for, even while preferring that they not do it to me). But, I don't know, which is why I asked. And, unless you are in a position to speak authoritatively for Microsoft,... regards, john --On Wednesday, 11 June, 2003 01:07 +0200 Anthony Atkielski [EMAIL PROTECTED] wrote: John writes: Now, if I read this correctly, there is no more choice ... You read incorrectly. Default behavior is not mandatory behavior. Conversely, if I'm part of an enterprise that issues its own certs for internal purposes, it doesn't look as if I can make those certs usable in the XP environment, since such internal certs don't satisfy the broad business value to Microsoft platform customers criterion and hence will not be accepted by Microsoft for use in the specified environment. You read incorrectly, again. You can add any certificates you want to your machines. You just can't get Microsoft to make them publicly available for distribution by MS without convincing them that doing so is worthwhile for Microsoft, which makes perfect sense. I hope this is only part of the story, and that user options to accept some certs (even if they are not accepted by Microsoft) and reject others (even if they are accepted by Microsoft) still exist in some usable form. They do. Look under Internet Options in Internet Explorer.
Re: Engineering to deal with the social problem of spam
On Tue, 10 Jun 2003 10:08:15 PDT, james woodyatt [EMAIL PROTECTED] said: And as for those too poor to keep their CPU's current, Let Them Eat SMTP. They clearly have an unhealthy interest in paying to receive MAKE MONEY FAST spam, so we should encourage them to continue using SMTP anyway. The Internet interprets censorship as damage and routes around it. Let SMTP continue to serve the useful function it serves: carrying spam messages. Ahem. I have several million dollars of compute resources at my disposal. It will take a fairly large hashcash request to make it painful for me. There's a *large* number of people still in the 386 world, who are financially unable to upgrade. That same hashcash request that will not inconvenience my hardware will probably kill their box for the better part of an hour. You are concluding that they therefor have an interest in paying to receive spam??? If anything, spam is a *bigger* problem for those on older hardware, simply because they have fewer computrons available to process it - so you're basically creating a regressive tax here. Just because the Internet routes around censorship doesn't mean that we have the moral right to censor those people who need it the most - those in underdeveloped countries with repressive regimes. Just because the Great Firewall of China exists doesn't mean we should add injury to insult by disenfranchising those who manage to get around the firewall. There is junk fax - and the Berlin Wall was brought down by fax machines. Let's not get this wrong. pgp0.pgp Description: PGP signature
Re: Engineering to deal with the social problem of spam
On Tuesday, Jun 10, 2003, at 22:12 US/Pacific, [EMAIL PROTECTED] wrote: [...] There's a *large* number of people still in the 386 world, who are financially unable to upgrade. That same hashcash request that will not inconvenience my hardware will probably kill their box for the better part of an hour. You are concluding that they therefor have an interest in paying to receive spam??? Yup. I am. If anything, spam is a *bigger* problem for those on older hardware, simply because they have fewer computrons available to process it - so you're basically creating a regressive tax here. And I'm not going to apologize for proposing it. Look, the phenomenon of spam is already a regressive tax, in and of itself. I'm just looking for a way to get some useful work done in exchange for receiving it. And I certainly won't mind if someone else is interested in paying me for the option to use the result of whatever useful work your CPU has to do to get your message in front of my eyeballs. Just because the Internet routes around censorship doesn't mean that we have the moral right to censor those people who need it the most - those in underdeveloped countries with repressive regimes. Who's talking about censorship? I'm not proposing that we outlaw SMTP. -- j h woodyatt [EMAIL PROTECTED] that's my village calling... no doubt, they want their idiot back.