Re: A mighty fortress is our PKI, Part III

2010-09-16 Thread James A. Donald
On 2010-09-16 6:12 AM, Andy Steingruebl wrote: The malware could just as easily fake the whole UI. Is it really PKI's fault that it doesn't defend against malware? Did even the grandest supporters ever claim it could/did? That is rather like having a fortress with one wall rather than four

RE: A mighty fortress is our PKI, Part III

2010-09-16 Thread Carl Ellison
To: Peter Gutmann Cc: cryptography@metzdowd.com Subject: Re: A mighty fortress is our PKI, Part III On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Some more amusing anecdotes from the world of PKI: Peter, Not to be too contrary (though at least a little) - not all

A mighty fortress is our PKI, Part III

2010-09-15 Thread Peter Gutmann
Some more amusing anecdotes from the world of PKI: - A standard type of fraud that's been around for awhile is for scammers to set up an online presence for a legit offline business, which appears to check out when someone tries to verify it. A more recent variation on this is to buy certs

Re: A mighty fortress is our PKI, Part III

2010-09-15 Thread Andy Steingruebl
On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Some more amusing anecdotes from the world of PKI: Peter, Not to be too contrary (though at least a little) - not all of these are really PKI failures are they? - There's malware out there that pokes fake Verisign

Re: A mighty fortress is our PKI, Part II

2010-08-17 Thread Jerry Leichter
On Aug 17, 2010, at 4:20 AM, Peter Gutmann wrote: Your code-signing system should create a tamper-resistant audit trail [0] of every signature applied and what it's applied to. Peter. [0] By this I don't mean the usual cryptographic Rube-Goldbergery, just log the details to a separate

Re: A mighty fortress is our PKI, Part II

2010-08-11 Thread Thor Lancelot Simon
On Wed, Aug 04, 2010 at 10:46:44PM -0700, Jon Callas wrote: I think you'll have to agree that unlike history, which starts out as tragedy and replays itself as farce, PKI has always been farce over the centuries. It might actually end up as tragedy, but so far so good. I'm sure that if we

Re: A mighty fortress is our PKI, Part II

2010-08-11 Thread Peter Gutmann
Thor Lancelot Simon t...@rek.tjls.com writes: If you want to see a PKI tragedy in the making, have a look at the CRLs used by the US DoD. Only in the making? Actually it's all relative, in Japan the Docomo folks turned off CRLs because they found that even a relatively modest CRL (not just the

Re: A mighty fortress is our PKI, Part II

2010-08-06 Thread Anne Lynn Wheeler
Zeus malware used pilfered digital certificate http://www.computerworld.com/s/article/9180259/Zeus_malware_used_pilfered_digital_certificate Zeus Malware Used Pilfered Digital Certificate http://www.pcworld.com/businesscenter/article/202720/zeus_malware_used_pilfered_digital_certificate.html

Re: A mighty fortress is our PKI, Part II

2010-08-06 Thread James A. Donald
On 2010-08-05 11:30 AM, David-Sarah Hopwood wrote: Signatures are largely a distraction from the real problem: that software is (unnecessarily) run with the full privileges of the invoking user. By all means authenticate software, but that's not going to prevent malware. A lot of devices

Re: A mighty fortress is our PKI, Part II

2010-08-06 Thread Tom Ritter
And what else should Windows say? We put this through our time machine and noticed that at some time in the past it was signed and now it isn't? Absolutely, on initial install there's no way to know it was originally signed (if you're smart about it). But in another architecture Microsoft

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Peter Gutmann
David-Sarah Hopwood david-sa...@jacaranda.org writes: Huh? I don't understand the argument being made here. It's a bogus argument, the text says: He took a legitimate software package and removed the signature of the digital certificate it contained, then installed the package on his

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Jon Callas
On Jul 30, 2010, at 4:58 AM, Peter Gutmann wrote: [0] I've never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. That is because a tragedy involves someone dying. Strictly speaking, a tragedy involves a Great Person who is brought to their undoing

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Peter Gutmann
Jon Callas j...@callas.org writes: But S.J. Perleman's Three Shares in a Boat Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a Boat. He followed it up with Three Certificates on the Bummel, a reference to the sharing of commercial vendors' code-signing keys with malware

Re: A mighty fortress is our PKI, Part II

2010-08-05 Thread Jon Callas
On Aug 4, 2010, at 11:29 PM, Peter Gutmann wrote: Jon Callas j...@callas.org writes: But S.J. Perleman's Three Shares in a Boat Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a Boat. He followed it up with Three Certificates on the Bummel, a reference to the

TLS/SSL Survey (Ristic/Qualsys) (was: Re: A mighty fortress is our PKI)

2010-08-04 Thread =JeffH
Internet SSL Survey 2010 is here! (blog post) http://blog.ivanristic.com/2010/07/internet-ssl-survey-2010-is-here.html Actual report: Qualys Internet SSL Survey 2010 v1.6 (PDF, 3.2 MB) http://blog.ivanristic.com/Qualys_SSL_Labs-State_of_SSL_2010-v1.6.pdf =JeffH

Re: A mighty fortress is our PKI, Part II

2010-08-04 Thread Anne Lynn Wheeler
Kaspersky: Sham Certificates Pose Big Problem for Windows Security http://www.ecommercetimes.com/story/70553.html from above .. Windows fails to clearly indicate when digital security certificates have been tampered with, according to Kaspersky Lab's Roel Schouwenberg, and that opens a door for

Re: A mighty fortress is our PKI, Part II

2010-08-04 Thread David-Sarah Hopwood
Anne Lynn Wheeler wrote: Kaspersky: Sham Certificates Pose Big Problem for Windows Security http://www.ecommercetimes.com/story/70553.html from above .. Windows fails to clearly indicate when digital security certificates have been tampered with, according to Kaspersky Lab's Roel

Re: A mighty fortress is our PKI, Part II

2010-08-02 Thread Bill Frantz
On 7/28/10 at 8:52 PM, pfarr...@pfarrell.com (Pat Farrell) wrote: When was the last time you used a paper Yellow Pages? Err, umm, this last week. I'm in a place where cell coverage (ATT, Verizon has a better reputation) is spotty and internet is a dream due to a noisy land line. I needed to

Re: A mighty fortress is our PKI

2010-08-01 Thread Anne Lynn Wheeler
On 07/28/2010 08:55 AM, Anne Lynn Wheeler wrote: disclaimer: the inventor of domain name infrastructure did a stint at the science center a decade earlier ... working on various and sundry projects. other public key science center trivia; former RSA CEO also at science center ...

Re: A mighty fortress is our PKI, Part II

2010-07-31 Thread Bill Stewart
At 07:16 AM 7/28/2010, Ben Laurie wrote: SSH does appear to have got away without revocation, though the nature of the system is s.t. if I really wanted to revoke I could almost always contact the users and tell them in person. This doesn't scale very well to SSL-style systems. Unfortunately,

Re: A mighty fortress is our PKI

2010-07-30 Thread Peter Gutmann
Paul Tiemann paul.tiemann.use...@gmail.com writes: What if... Firefox (or other) could introduce a big new feature (safety controls) and ask you up front: Do you want to be safer on the internet? The problem is that neither the browser vendor nor the users will see it like this. For the user

Re: A mighty fortress is our PKI, Part II

2010-07-30 Thread Peter Gutmann
Steven Bellovin s...@cs.columbia.edu writes: When I look at this, though, little of the problem is inherent to PKI. Rather, there are faulty communications paths. Oh no my Lord, I assure you that parts of it are excellent! :-). [...] how should the CA or Realtek know about the problem? [...]

Re: A mighty fortress is our PKI, Part II

2010-07-30 Thread Anne Lynn Wheeler
On 07/28/2010 11:52 PM, Pat Farrell wrote: A lot of the smart card development in the mid-90s and beyond was based on the idea that the smart card, in itself, was the sole authorization token/algorithm/implementation. some ssl, payment, smartcard trivia ... those smartcards were used for the

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread Pat Farrell
On 07/28/2010 08:44 PM, Steven Bellovin wrote: When I look at this, though, little of the problem is inherent to PKI. Rather, there are faulty communications paths. You note that at t+2-3 days, the CA read the news. Apart from the question of whether or not 2-3 days is shortly after -- the

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread Alexandre Dulaunoy
On Thu, Jul 29, 2010 at 3:09 AM, Nicolas Williams nicolas.willi...@oracle.com wrote: This is a rather astounding misunderstanding of the protocol.  An OCSPResponse does contain unauthenticated plaintext[*], but that plaintext says nothing about the status of the given certificates -- it only

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread James A. Donald
On 2010-07-29 12:18 AM, Peter Gutmann wrote: This does away with the need for a CA, because the link itself authenticates the cert that's used. Then there are other variations, cryptographically generated addresses, ... all sorts of things have been proposed. The killer, again, is the refusal

Re: deliberately crashing ancient computers (was: Re: A mighty fortress is our PKI)

2010-07-29 Thread Jerry Leichter
On Jul 28, 2010, at 11:04 AM, Jonathan Thornburg wrote: http://www.crashie.com/ - if you're feeling malicious, just include the one line JavaScript that will make IE6 crash, maybe eventually the user will figure it out. (Or maybe not). Please stop and think about the consequences before

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread Anne Lynn Wheeler
On 07/28/2010 11:52 PM, Pat Farrell wrote: I'd like to build on this and make a more fundamental change. The concept of a revocation cert/message was based on the standard practices for things like stolen credit cards in the early 1990s. At the time, the credit card companies published telephone

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread StealthMonger
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry Leichter leich...@lrw.com writes: The only conceivable purpose for using a signature is that you can check it *offline*. If you assume you can connect to the network, and that you can trust what you get from the network - why bother with a

Re: A mighty fortress is our PKI, Part II

2010-07-29 Thread Nicolas Williams
On Thu, Jul 29, 2010 at 10:50:10AM +0200, Alexandre Dulaunoy wrote: On Thu, Jul 29, 2010 at 3:09 AM, Nicolas Williams nicolas.willi...@oracle.com wrote: This is a rather astounding misunderstanding of the protocol.  [...] I agree on this and but the implementation of OCSP has to deal with

Re: A mighty fortress is our PKI

2010-07-28 Thread Paul Tiemann
On Jul 26, 2010, at 10:22 PM, Chris Palmer wrote: Perry E. Metzger writes: All major browsers already trust CAs that have virtually no security to speak of, ...and trust any of those CAs on any (TCP) connection in the (web app) session. Even if your first connection was authenticated by

Re: A mighty fortress is our PKI

2010-07-28 Thread dan
Wow, I was just going to recommend Dan's book, Security Metrics. It is actually Andy Jaquith's book, I only wrote the intro. In the meantime, though, couple of years ago I did a tutorial on security metrics which you may find useful http://geer.tinho.net/measuringsecurity.tutorial.pdf

Re: A mighty fortress is our PKI

2010-07-28 Thread Chris Palmer
Paul Tiemann writes: I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and certificate X wasn't even near its

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Ben Laurie b...@links.org writes: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to sign 64-bit

Re: A mighty fortress is our PKI

2010-07-28 Thread Ben Laurie
On 28/07/2010 01:07, Paul Tiemann wrote: There is a long list of flyblown metaphors which could similarly be got rid of if enough people would interest themselves in the job; and it should also be possible to laugh the not un- formation out of existence*... *One can cure oneself of the not

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 00:14, Paul Tiemann wrote: On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 09:57, Peter Gutmann wrote: Ben Laurie b...@links.org writes: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this,

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Jerry Leichter
On Jul 27, 2010, at 5:34 PM, Ben Laurie wrote: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the fixes won't work. Is this just an exercise in one-upmanship? You know more ways the world is broken than I do? It's

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 13:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the fixes won't work. Is this just an exercise in one-upmanship? You

Re: A mighty fortress is our PKI

2010-07-28 Thread Nicolas Williams
On Tue, Jul 27, 2010 at 10:10:54PM -0600, Paul Tiemann wrote: I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 01:21:33PM +0100, Ben Laurie wrote: On 28/07/2010 13:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Steven Bellovin
On Jul 28, 2010, at 8:21 33AM, Ben Laurie wrote: On 28/07/2010 13:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the fixes won't

Re: A mighty fortress is our PKI

2010-07-28 Thread Anne Lynn Wheeler
On 07/28/2010 12:10 AM, Paul Tiemann wrote: I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and certificate X

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 11:38:17 +0100 Ben Laurie b...@links.org wrote: On 28/07/2010 09:57, Peter Gutmann wrote: In any case though the whole thing is really a moot point given the sucking void that is revocation-handling, the Realtek certificate was revoked on the 16th but one of my spies has

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Stefan Kelm
Peter, In any case though the whole thing is really a moot point given the sucking void that is revocation-handling, the Realtek certificate was revoked on the 16th but one of my spies has informed me that as of yesterday it was still regarded as valid by Windows. I can confirm that, at

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Steven Bellovin s...@cs.columbia.edu writes: For the last issue, I'd note that using pki instead of PKI (i.e., many different per-realm roots, authorization certificates rather than identity certificates, etc.) doesn't help: Realtek et al. still have no better way or better incentive to revoke

Re: A mighty fortress is our PKI

2010-07-28 Thread Peter Gutmann
Paul Tiemann paul.tiemann.use...@gmail.com writes: I like the idea of SSL pinning, but could it be improved if statistics were kept long-term (how many times I've visited this site and how many times it's had certificate X, but today it has certificate Y from a different issuer and certificate

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 14:05, Perry E. Metzger wrote: It is not always the case that a dead technology has failed because of infeasibility or inapplicability. I'd say that a number of fine technologies have failed for other reasons. However, at some point, it becomes incumbent upon the proponents of a

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie b...@links.org wrote: On 28/07/2010 14:05, Perry E. Metzger wrote: It is not always the case that a dead technology has failed because of infeasibility or inapplicability. I'd say that a number of fine technologies have failed for other reasons.

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28 July 2010 15:05, Perry E. Metzger pe...@piermont.com wrote: On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie b...@links.org wrote: On 28/07/2010 14:05, Perry E. Metzger wrote: It is not always the case that a dead technology has failed because of infeasibility or inapplicability. I'd say

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 10:05:22AM -0400, Perry E. Metzger wrote: PKI was invented by Loren Kohnfelder for his bachelor's degree thesis at MIT. It was certainly a fine undergraduate paper, but I think we should forget about it, the way we forget about most undergraduate papers. PKI alone is

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Anne Lynn Wheeler
On 07/28/2010 10:05 AM, Perry E. Metzger wrote: I will point out that many security systems, like Kerberos, DNSSEC and SSH, appear to get along with no conventional notion of revocation at all. long ago and far away ... one of the tasks we had was to periodically go by project athena to audit

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Stefan Kelm
Perry, I think public key cryptography is a wonderful thing. I'm just not sure I believe at all in PKI -- that is, persistent certification via certificates, certificate revocation, etc. I'm sure you remember Peter Honeyman's PK-no-I talk from the '99 USENIX Security Symposium? :-) Cheers,

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 15:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: However, using private keys to prove that you are (probably) dealing with the same entity as yesterday seems like a useful thing to do. And still needs revocation. It depends on what you mean by revocation,

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Jack Lloyd
On Wed, Jul 28, 2010 at 08:48:14AM -0400, Steven Bellovin wrote: There seem to be at least three different questions here: bad code (i.e., that Windows doesn't check the revocation status properly), the UI issue, and the conceptual question of what should replace the current PKI+{CRL,OCSP}

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 03:16:32PM +0100, Ben Laurie wrote: Maybe it doesn't, but no revocation mechanism at all makes me nervous. I don't know Kerberos well enough to comment. DNSSEC doesn't have revocation but replaces it with very short signature lifetimes (i.e. you don't revoke, you

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 15:16:32 +0100 Ben Laurie b...@google.com wrote: On 28 July 2010 15:05, Perry E. Metzger pe...@piermont.com wrote: On Wed, 28 Jul 2010 14:38:53 +0100 Ben Laurie b...@links.org wrote: And still needs revocation. Does it? I will point out that many security

deliberately crashing ancient computers (was: Re: A mighty fortress is our PKI)

2010-07-28 Thread Jonathan Thornburg
On Tue, 27 Jul 2010, Jack Lloyd suggested: http://www.crashie.com/ - if you're feeling malicious, just include the one line JavaScript that will make IE6 crash, maybe eventually the user will figure it out. (Or maybe not). Please stop and think about the consequences before using something

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 10:42:43AM -0400, Anne Lynn Wheeler wrote: On 07/28/2010 10:05 AM, Perry E. Metzger wrote: I will point out that many security systems, like Kerberos, DNSSEC and SSH, appear to get along with no conventional notion of revocation at all. long ago and far away ... one

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Ben Laurie
On 28/07/2010 16:01, Perry E. Metzger wrote: On Wed, 28 Jul 2010 15:16:32 +0100 Ben Laurie b...@google.com wrote: SSH does appear to have got away without revocation, though the nature of the system is s.t. if I really wanted to revoke I could almost always contact the users and tell them in

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 09:30:22 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: On Wed, Jul 28, 2010 at 10:05:22AM -0400, Perry E. Metzger wrote: PKI was invented by Loren Kohnfelder for his bachelor's degree thesis at MIT. It was certainly a fine undergraduate paper, but I think we

Re: deliberately crashing ancient computers (was: Re: A mighty fortress is our PKI)

2010-07-28 Thread Jack Lloyd
On Wed, Jul 28, 2010 at 11:04:30AM -0400, Jonathan Thornburg wrote: On Tue, 27 Jul 2010, Jack Lloyd suggested: http://www.crashie.com/ - if you're feeling malicious, just include the one line JavaScript that will make IE6 crash, maybe eventually the user will figure it out. (Or maybe not).

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 11:13:36AM -0400, Perry E. Metzger wrote: On Wed, 28 Jul 2010 09:30:22 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: I have no objections to infrastructure -- bridges, the Internet, and electrical transmission lines all seem like good ideas. However, lets

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Anne Lynn Wheeler
On 07/28/2010 11:05 AM, Nicolas Williams wrote: Are you arguing for Kerberos for Internet-scale deployment? Or simply for PKI with rp-only certs and OCSP? Or other federated authentication mechanism? Or all of the above? :) as i've mentioned ... the relying-party-only certificates are

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Nicolas Williams nicolas.willi...@oracle.com writes: Exactly. OCSP can work in that manner. CRLs cannot. OCSP only appears to work in that manner. Since OCSP was designed to be 100% bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and not an OCSP. Specifically, if

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 10:50:52 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: On Wed, Jul 28, 2010 at 11:38:28AM -0400, Perry E. Metzger wrote: On Wed, 28 Jul 2010 09:57:21 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: OCSP Responses are much like a PKI equivalent of

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Peter Gutmann
Nicolas Williams nicolas.willi...@oracle.com writes: Sorry, but this is wrong. The OCSP protocol itself really is an online certificate status protocol. It's not an online certificate status protocol because it can provide neither a yes or a no response to a query about the validity of a

Re: A mighty fortress is our PKI

2010-07-28 Thread Paul Tiemann
On Jul 27, 2010, at 10:58 PM, d...@geer.org wrote: Wow, I was just going to recommend Dan's book, Security Metrics. It is actually Andy Jaquith's book, I only wrote the intro. Ouch, I'm sorry for the mistake! (I knew I remembered your name in connection with the book, but it's on my

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 11:23:16 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: On Wed, Jul 28, 2010 at 11:20:51AM -0500, Nicolas Williams wrote: On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: Again, I understand that in a technological sense, in an ideal world,

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Anne Lynn Wheeler
On 07/28/2010 12:02 PM, Nicolas Williams wrote: Sorry, but this is wrong. The OCSP protocol itself really is an online certificate status protocol. Responder implementations may well be based on checking CRLs, but they aren't required to be. Don't be confused by the fact that OCSP borrows

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Thu, Jul 29, 2010 at 04:23:52AM +1200, Peter Gutmann wrote: Nicolas Williams nicolas.willi...@oracle.com writes: Sorry, but this is wrong. The OCSP protocol itself really is an online certificate status protocol. It's not an online certificate status protocol because it can provide

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: Again, I understand that in a technological sense, in an ideal world, they would be equivalent. However, the big difference, again, is that you can't run Kerberos with no KDC, but you can run a PKI without an OCSP server. The

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: Again, I understand that in a technological sense, in an ideal world, they would be equivalent. However, the big difference, again, is

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 01:25:21PM -0400, Perry E. Metzger wrote: My mother relies on many certificates. Can she make a decision on whether or not her browser uses OCSP for all its transactions? I mention this only because your language here is quite sticky. Saying it is up to the relying

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 12:38:10 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: Again, if everything is too hard, why do we bother even talking about any of this? ETOOHARD cannot usefully be a retort to every suggestion. Well, not everything is too hard. In fact, one of the important

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Nicolas Williams
On Wed, Jul 28, 2010 at 02:41:35PM -0400, Perry E. Metzger wrote: On the other edge of the spectrum, many people now use quite secure protocols (though I won't claim the full systems are secure -- implementation bugs are ubiquitous) for handling things like remote login and file transfer,

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Alexandre Dulaunoy
On Wed, Jul 28, 2010 at 5:51 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Nicolas Williams nicolas.willi...@oracle.com writes: Exactly.  OCSP can work in that manner.  CRLs cannot. OCSP only appears to work in that manner.  Since OCSP was designed to be 100% bug-compatible with CRLs,

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Paul Tiemann
On Jul 28, 2010, at 9:51 AM, Peter Gutmann wrote: Nicolas Williams nicolas.willi...@oracle.com writes: Exactly. OCSP can work in that manner. CRLs cannot. OCSP only appears to work in that manner. Since OCSP was designed to be 100% bug-compatible with CRLs, it's really an OCQP (online

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Perry E. Metzger
On Wed, 28 Jul 2010 14:40:14 -0600 Paul Tiemann paul.tiemann.use...@gmail.com wrote: On Jul 28, 2010, at 11:25 AM, Perry E. Metzger wrote: On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams nicolas.willi...@oracle.com wrote: On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger

Re: A mighty fortress is our PKI

2010-07-27 Thread Chris Palmer
Perry E. Metzger writes: All major browsers already trust CAs that have virtually no security to speak of, ...and trust any of those CAs on any (TCP) connection in the (web app) session. Even if your first connection was authenticated by the right CA, the second one may not be. Zusmann and

Re: A mighty fortress is our PKI

2010-07-27 Thread Chris Palmer
Paul Tiemann writes: Since this is a certificate we (DigiCert) have issued, I'm trying to understand if there is a vulnerability here that's more apparent to others than to me, If an attacker can steal the cert by any means, perhaps by means particular to one of the hosted sites, he can now

Re: A mighty fortress is our PKI

2010-07-27 Thread Peter Gutmann
Paul Tiemann paul.tiemann.use...@gmail.com writes: [...] This is kind of a long message to reply to so I'll just post a meta-reply to avoid getting bogged down in nitpicking, the message, as the subject line indicated, was intended to start a discussion on some of the weaknesses inherent in the

Re: A mighty fortress is our PKI

2010-07-27 Thread Peter Gutmann
Ian G i...@iang.org writes: ** But talking about TLS/SNI to SSL suppliers is like talking about the lifeboats on the Titanic ... we don't need it because SSL is unsinkable. ... or talking to PKI standards groups about adding a CRL reason code for certificate issued in error (e.g. to an

Re: A mighty fortress is our PKI

2010-07-27 Thread Ralph Holz
Hi, Eckersley's and Burns' presentation at Defcon (coming right up) will present their findings from a global survey of certs presented by hosts listening on port 443. Their results are disturbing. Have these results already been published somewhere, or do you maybe even have a URL? Ralph

Re: A mighty fortress is our PKI

2010-07-27 Thread Anne Lynn Wheeler
On 07/27/2010 10:11 AM, Peter Gutmann wrote: So a general response to the several well, what would you do? questions is I'm not sure, that's why I posted this to the list. For example should an SSL cert be held to higher standards than the server it's hosted on? In other words if it's easier

Re: A mighty fortress is our PKI

2010-07-27 Thread Pat Farrell
On 07/27/2010 11:04 AM, Anne Lynn Wheeler wrote: long ago and far away. they had also invented this technology called SSL that they wanted to use. As part of applying the technology to the business payment process ... we also had to go around and investigate how some of these

Re: A mighty fortress is our PKI

2010-07-27 Thread Anne Lynn Wheeler
On 07/27/2010 12:09 PM, Pat Farrell wrote: Most of which we avoided by skipping the cert concept. Still, better technology has nothing to do with business success. Public Key Crypto with out all the cruft of PKI. Its still a good idea. that became apparent in the use of SSL between all the

Re: A mighty fortress is our PKI

2010-07-27 Thread Chris Palmer
Ralph Holz writes: Eckersley's and Burns' presentation at Defcon (coming right up) will present their findings from a global survey of certs presented by hosts listening on port 443. Their results are disturbing. Have these results already been published somewhere, or do you maybe even

Re: A mighty fortress is our PKI

2010-07-27 Thread Anne Lynn Wheeler
On 07/27/2010 12:09 PM, Pat Farrell wrote: In that same time, I was at CyberCash, we invented what is now sometimes called electronic commerce. and that and $5 will get you a cup of coffee. We predated SSL by a few years. Used RSA768 to protect DES sessions, etc. Usual stuff. somewhat as

Re: A mighty fortress is our PKI

2010-07-27 Thread Chris Palmer
Sampo Syreeni writes: I am not sure what quantitative measurement of vulnerability would even mean. What units would said quantity be measured in? I'm not sure either. This is just a gut feeling. See also: http://nvd.nist.gov/cvsseq2.htm

Re: A mighty fortress is our PKI

2010-07-27 Thread Perry E. Metzger
On Tue, 27 Jul 2010 11:11:52 -0700 Chris Palmer ch...@noncombatant.org wrote: Sampo Syreeni writes: I am not sure what quantitative measurement of vulnerability would even mean. What units would said quantity be measured in? I'm not sure either. This is just a gut feeling. See also:

Re: A mighty fortress is our PKI

2010-07-27 Thread Chris Palmer
Perry E. Metzger writes: Unless you can perform an experiment to falsify the self-declared objective quantitative security measurement, it isn't science. I can't think of an experiment to test whether any of the coefficients in the displayed calculation is correct. I don't even know what

Re: A mighty fortress is our PKI

2010-07-27 Thread dan
False metrics are rampant in the security industry. We really need to do something about them. I propose that we make fun of them. You might consider joining us in D.C. on 10 August at http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon5.0 --dan, program committee

Re: A mighty fortress is our PKI

2010-07-27 Thread Ben Laurie
On 27/07/2010 15:11, Peter Gutmann wrote: The intent with posting it to the list was to get input from a collection of crypto-savvy people on what could be done. The issue had previously been discussed on a (very small) private list, and one of the members suggested I post it to the

Re: A mighty fortress is our PKI, Part II

2010-07-27 Thread Ben Laurie
On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to sign 64-bit drivers, I wouldn't have revoked

Re: A mighty fortress is our PKI

2010-07-27 Thread Nicolas Williams
On Tue, Jul 27, 2010 at 09:54:51PM +0100, Ben Laurie wrote: On 27/07/2010 15:11, Peter Gutmann wrote: The intent with posting it to the list was to get input from a collection of crypto-savvy people on what could be done. The issue had previously been discussed on a (very small) private

Re: A mighty fortress is our PKI, Part II

2010-07-27 Thread Paul Tiemann
On Jul 27, 2010, at 3:34 PM, Ben Laurie wrote: On 24/07/2010 18:55, Peter Gutmann wrote: - PKI dogma doesn't even consider availability issues but expects the straightforward execution of the condition problem - revoke cert. For a situation like this, particularly if the cert was used to

Re: A mighty fortress is our PKI

2010-07-27 Thread Paul Tiemann
On Jul 27, 2010, at 1:14 PM, d...@geer.org wrote: False metrics are rampant in the security industry. We really need to do something about them. I propose that we make fun of them. You might consider joining us in D.C. on 10 August at

Re: A mighty fortress is our PKI

2010-07-27 Thread Paul Tiemann
Haven't we already decided what to do: SNI? But isn't that the problem, that SNI had to be added therefore it isn't everywhere therefore site operators don't trust its presence therefore SNI is irrelevant? It appears Apache supports SNI as of 2.2.12 which was released 12 months ago. Do we

  1   2   >