The list moderator asked a few participants (including myself) to let this issue go, but I just want to mention that I've posted a minor update to the PDF, and have included a link to this thread in it, as well as a footnote next to the 600+ figure, mentioning that, "Phillip Hallam-Baker disputes the EFF’s figure on [therightkey] mailing list, but did not provided citable references for his claims."
URL remains the same, but it should say Version 1.1 in the lower-left of the cover page: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Dec 16, 2013, at 5:54 PM, Tao Effect <[email protected]> wrote: > Oh, sorry, I just saw (after sending that email), that I didn't answer your > question. > > Why bother quoting it at all? Because whether the number is 600+ or 300+, it > still serves to support the point that browsers will take the word of any one > of over a hundred potentially untrustworthy strangers as "proof" that a > connection to a website is secure. > > - Greg > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > On Dec 16, 2013, at 5:48 PM, Tao Effect <[email protected]> wrote: > >> On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <[email protected]> wrote: >>> >>> Since the 600 number is inaccurate and not particularly necessary, why >>> bother to quote it at all? >> >> Dude, how did you manage to ignore that entire email? >> >> One more time, since you somehow missed it: >> >>>> OK, in order for me to correct this in the paper I need the following >>>> information: >>>> >>>> 1. A link to who "DFN" is. >>>> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are >>>> shipped with (and details about this, like, do all 3 major browsers >>>> include DFN?) >>>> 3. A link to a paper, a blog post, or an article somewhere that describes >>>> in detail your side of the argument >>>> >> >> >> You cannot just say "the EFF is lying", throw your hands in the air, and >> leave it at that. >> >> Unlike you, the EFF provided sources and proof for their claim. >> >> The then wrote a widely cited blog post containing their claim and their >> evidence for it. >> >> Where is your blog post? Where is your evidence that the EFF is lying? >> >> These emails of yours don't cut it. Heck, I'd even post a link to an >> archived email of yours if you provided the necessary information in it. >> >> - Greg >> >> -- >> Please do not email me anything that you are not comfortable also sharing >> with the NSA. >> >> On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <[email protected]> wrote: >> >>> When you make an assertion in a paper then you are accepting the burden of >>> proof. >>> >>> >>> If the source for the '600' claim was lying then the claim has to be taken >>> off the table completely. The DFN root issue demonstrates that the >>> methodology is bogus rather than just being a single inaccurate data point. >>> >>> If you want to make assertions about the number of CAs then the most >>> accurate measure currently available is still the number of roots in the >>> commonly used browsers. While there are a handful of CAs using roots cross >>> certified by another CA, such CAs now have to have a full audit statement >>> and meet all the acceptance criteria in their own right. So there would be >>> little point in not applying to have the root entered in independently. >>> >>> Since the 600 number is inaccurate and not particularly necessary, why >>> bother to quote it at all? >>> >>> >>> >>> >>> On Mon, Dec 16, 2013 at 1:44 PM, Tao Effect <[email protected]> wrote: >>>> Which kind of calls their credibility into question. HALF the 'CAs' in >>>> their graph are from the DFN root. You can check that out for yourself, it >>>> is a German CA that issues certs to higher education institutions. As has >>>> been demonstrated (and agreed by the EFF people), DFN do not sign certs >>>> for key signing keys they do not hold. >>>> >>>> You can't calculate the number of CAs the way the EFF tried to. An >>>> intermediate certificate does not equate to a CA. Pretending it does to >>>> peddle an alternative PKI scheme calls into question their veracity. >>>> >>>> I have tried to get members of the EFF board to look into this but they >>>> never get back. Too much trouble to get it right. >>> >>> >>> OK, in order for me to correct this in the paper I need the following >>> information: >>> >>> 1. A link to who "DFN" is. >>> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are >>> shipped with (and details about this, like, do all 3 major browsers include >>> DFN?) >>> 3. A link to a paper, a blog post, or an article somewhere that describes >>> in detail your side of the argument >>> >>> Let me emphasize that none of this ultimately matters to the points that >>> were made in the paper. >>> >>> Whether the number is 600+ or 300+, it's still an insecure, broken mess. >>> >>>> I was under the impression that Bitcoin was the preferred currency of >>>> libertopia. It is the only one that gets mention in the mainstream press. >>>> It is not clear to me how namecoin can be part of BitCoin and another >>>> currency. >>> >>> >>> I'll be happy to clear this up: >>> >>> - Bitcoin is not the "market leader" of distributed DNS systems. Namecoin >>> is. >>> - Namecoin and Bitcoin are designed with completely different goals in >>> mind. They are not competitors. >>> - Namecoin is not intended to be a bitcoin replacement, nor the other way >>> around. It is not like "litecoin" or any of the other bitcoin competitors, >>> because it is not a competitor to bitcoin. >>> >>>> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by >>>> the Feds. >>> >>> >>> I'll be happy to clear this up too: >>> >>> None of these are comparable to Bitcoin or Namecoin. >>> >>> Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly >>> decentralized, distributed currencies. >>> >>> - "Gold Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age >>> - eGold: Centralized currency with no "reliable user identification" (not a >>> problem with Bitcoin or Namecoin) >>> - Liberty Reserve: Centralized currency >>> https://en.wikipedia.org/wiki/Liberty_Reserve#Background >>> >>> People who are standing back and scratching their heads, wondering why >>> Bitcoin is still around after years of being used to purchase illegal >>> drugs, murder-for-hire, and weapons (continuing to this day btw), simply >>> don't understand what Bitcoin is. >>> >>>> I might be a little more inclined to make an effort if you hadn't attacked >>>> me as being 'fraudulent' in your opening. >>> >>> >>> Do you represent a company that sells SSL certs? It seems like you might: >>> >>> During twelve years as Principal Scientist at VeriSign Inc., >>> >>> Perhaps the paper is a bit harsh (and I welcome suggestions to improve its >>> language), but the critiques it levies against companies that sell SSL >>> certs are completely valid: >>> >>> Companies that sell SSL certificates usually claim that their certificates >>> provide customers with “security.” Customers are led to believe that these >>> certificates protect browser-server communication from eavesdropping and >>> tampering. As elaborated in this paper, this simply isn’t true today. >>> >>> I have to say, that among the cert companies websites that I looked at, >>> VeriSign's homepage makes the fewest claims about the security protections >>> it provides. >>> >>> The words "usually claim" leaves room for exceptions. I could not find, on >>> the customer-facing pages on VeriSign's site, any claims that VeriSign's >>> SSL certs "protect browser-server communication from eavesdropping and >>> tampering." >>> >>> Some close calls are: >>> >>> In short, when it comes to securing online transactions, safeguarding >>> customer information, and protecting business reputation, you're only as >>> safe as the Certificate Authority you choose. >>> https://www.symantec.com/ssl-certificates-advantages >>> >>> Customers Gain Confidence with the Green Address Bar: Online shoppers >>> recognize the green address bar as an easy and reliable way to verify the >>> site identity and security. >>> https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=ssl-certificates >>> >>> VeriSign's SSL certificates do not provide websites with meaningful >>> protection as defined in the DNSNMC paper because they cannot be securely >>> authenticated in the face of a fraudulent certificate that's presented to >>> customers by a MITM. >>> >>> If your certs can simply be replaced by any of the other CAs out there, >>> then *all* of the security they provide is thrown out the window. >>> >>> Furthermore, because VeriSign is a random third-party, not the company that >>> user's visit when they visit a site using VeriSign's certificate, the >>> protection offered by that certificate is inherently inferior to a securely >>> authenticated self-signed certificate. >>> >>> This is simply mathematics, and not a point that's up for debate. >>> >>> When trust is distributed across more parties, that trust is diluted >>> because it now depends on the least secure of those parties. >>> >>> Sidenote: >>> >>> It seems like I was sent "to the sharks" so to speak (perhaps as a >>> practical joke?). >>> >>> So far almost half of the replies to this thread have come from >>> representatives of SSL companies. >>> >>> The hostility is therefore no surprise. >>> >>> -- >>> Please do not email me anything that you are not comfortable also sharing >>> with the NSA. >>> >>> On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker <[email protected]> wrote: >>> >>>> >>>> >>>> >>>> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <[email protected]> wrote: >>>>> And for someone who is accusing others of being 'fraudulent', not a good >>>>> move to start off repeating figures already exposed as bogus like the oft >>>>> repeated but still untrue claim of 600 CAs. >>>> >>>> >>>> I thought the EFF was a reputable source. >>>> >>>> There has been no update or correction to their post: >>>> https://www.eff.org/deeplinks/2011/10/how-secure-https-today >>>> >>>> Which kind of calls their credibility into question. HALF the 'CAs' in >>>> their graph are from the DFN root. You can check that out for yourself, it >>>> is a German CA that issues certs to higher education institutions. As has >>>> been demonstrated (and agreed by the EFF people), DFN do not sign certs >>>> for key signing keys they do not hold. >>>> >>>> You can't calculate the number of CAs the way the EFF tried to. An >>>> intermediate certificate does not equate to a CA. Pretending it does to >>>> peddle an alternative PKI scheme calls into question their veracity. >>>> >>>> I have tried to get members of the EFF board to look into this but they >>>> never get back. Too much trouble to get it right. >>>> >>>> >>>>> Tying the notary log to namecoin seems to be completely pointless to me, >>>>> unless the real objective is to promote namecoin. Why hook into namecoin >>>>> rather than the market leader? >>>> >>>> >>>> What market leader? >>>> >>>> I was under the impression that Bitcoin was the preferred currency of >>>> libertopia. It is the only one that gets mention in the mainstream press. >>>> It is not clear to me how namecoin can be part of BitCoin and another >>>> currency. >>>> >>>> >>>>> Given the success of the US government in shutting down eGold type >>>>> schemes I am very skeptical about the stability of 'namecoin'. If we >>>>> accept the purported scenarios that motivate the scheme then namecoin >>>>> won't last very long. >>>> >>>> What eGold scheme are you comparing Namecoin to? >>>> >>>> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by >>>> the Feds. >>>> >>>> >>>> Are you sure you know what you're talking about here...? ;-) >>>> >>>> I must admit that I find the scheme completely confused and assumes that I >>>> know a lot that I do not. >>>> >>>> I might be a little more inclined to make an effort if you hadn't attacked >>>> me as being 'fraudulent' in your opening. >>>> >>>> >>>> -- >>>> Website: http://hallambaker.com/ >>>> _______________________________________________ >>>> therightkey mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/therightkey >>> >>> >>> >>> >>> -- >>> Website: http://hallambaker.com/ >>> _______________________________________________ >>> therightkey mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/therightkey >> >> _______________________________________________ >> therightkey mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/therightkey > > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
