From: "Scott Bellware" <sbellware(_at_)hotmail(_dot_)com>
...
Sure, there are problems with SSL/TSL and the susceptibility to man in the
middle, but if it weren't for cert providers, we wouldn't have wholesale
encryption at the transport. ...
That is mistaken, although it is the party line. "Cert providers"
have practically nothing to provide "wholesale encryption at the
transport" in any honest technical sense. Encryption can be and often
is provided with random, single-use session keys exchanged with the
Diffie-Hellman protocol. Certificates can only give a little assurance
than when your browser contacts www.example.com, it is talking to
www.example.com.
See RFC 2246 and especially section 1. Notice that Encryption parameters
are independent of any certificates. Certificates only let you know
that your browser is really is talking to an organization that Verisign
says is "Microsoft Corporation." Again, to see how much that's worth,
please read http://www.cert.org/advisories/CA-2001-04.html and
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
Offense taken in some quarters to my pointing at that saga not
withstanding, I don't think Verisign did anything bad in it except
lie about the value of commercial PKI. Anyone who looked into buying
a Verisign or Thawte cert found that they sell as much security as an
honest person expects to buy for $150-$350. You can't expect a cert
vendor to do more than glance at your WHOIS records and the first page
of FAX a copy of what you say is your local business registration for
the fraction of $150-$350 that can go to checking up on you.
... And even if it is merely a perception of security, the
perception has been effective enough to provide encouragement to consumers
for engaging in allowing their information to be transmitted across the
wire - regardless of their perception of what happens with it at the data
store.
Yes, that "perception of security" is what commercial PKI has provided.
I wish I didn't that eyewash is valuable but that the public could look
at the facts. However, this is the IRTF/IETF where we're supposed to
be designing things with either real security or a well labelled lack
of security, regardless of what Joe Sixpack needs or wants to be told.
...
The thing about VeriSign and Thawte was merely an aside to suggest - again -
that a centralized control does not need to be in the hands of the
government and I personally feel that a government agency might not be able
to execute with the agility of a private agency.
My point about the government-operated national no-call list is that it
isn't a compelling example of the potential of a government operation
because the app is _relatively_ simple.
As the saying goes, "In theory, there is no difference between theory
and practice, but in practice there is." In theory, do-not-call lists
can be operated by private organizations, but in practice, the
do-not-call lists operated by the DMA as well as large telemarketing
firms have been ignored. In advertised theory, the private organization
TrustE made outfits trustworthy as far as respecting privacy, but in
practice, other things happened. In other theories, the do-not-send-spam
lists operated by the DMA and other private organizations fixed spam,
but in practice we're all here.
I don't mean to imply that a central do-not-spam whitelist or whatever
would make technical, political, operational, or any other sense
because it is operated by a government.
My apologies for reiterating - just trying to clarify the intent of my
message.
Perhaps I should also apologize for repeating what we should all know
about authentication, encryption, PKI, certificates, and so forth.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg