Phillip M Hallam-Baker wrote:
In the end the user MUST be the one resonsible for make the judgement
call about what is and is not a good CA for their purposes.
I agree with this point as well and would use it to utterly refute
David and Ed's arguments against self signed certs and such.
Since you fail to distinguish between ethical (or legal) responsibility and
practical behavior, I do not see how this is refutatory. That is: while if I
accept a "generally accepted" CA without checking their balance sheet,
auditing procedures, personnel, etc., I am ultimately responsible (leaving
aside litigation or offered indemnities) for the consequences, that does not
mean that most Internet users are capable or willing to take on such an
onerous burden. Thus the system should offer the greatest confidence possible,
recognizing pragmatically how users will behave and how to facilitate useful
systems at scale. My point is the same one that has lead to all sorts of
assurance systems and exclusions from membership of those who don't meet
specified standards in credit card systems, banking systems, etc. Secure
e-mail should be no different.
Creating an opening for self-signed CAs meeting no standards at all is not the
way to increase such confidence.
There are no 'high security' protocols, the class simply cannot
exist. There are only high security _systems_, that is systems
comprising protocols and operating proceedures which
together provide a given level of assurance that certain
specified risks have been guarded against.
This is not about perfection. There can be no perfection. This is about
"better" for the group in the large (in this case at the expense of a
relatively few who would find being able to be a self-signed CA convenient or
who just don't like a system that has rules, for aesthetic or ideological
reasons).
The only valid reason for restricting a protocol in the manner
suggested would be if the forbiden mode of operation was
inherently insecure. It is not.
That some CAs could be fiat CAs meeting no trust standards IS inherently
insecure.
I think we should let this argument rest. Open PGP has at this
point only one supporter of consequence, Qualcomm. With
everyone else in the S/MIME camp and PGP just rescued
from bankrupcy the outcome is not hard to guess. We should
be looking to see how we can salvage what is best from the
PGP experiment rahter than continue to fight a war that
has been won as far as the desktop goes.
I do not see this as having anything to do with ideological wars or winning or
losing. I see it as creating a secure/authenticated e-mail system in which
people in the large at global internet scale, who do not know each other, can
have enough confidence they are will use it transparently.
The problem we have is that many of the people who are the
natural early adopter constituency for S/MIME have not
realised that PGP is dead. In other words we have won the
standards battle but not the mind share battle.
I suggest this kind of argument polarizes the discussion in this group on this
point. It is best avoided.
I see no reason to alienate a significant user base simply to
trample on the remains of a PKI model that isn't viable in
any case. I don't think that most PGP users want to be a
CA, they just want to have that option.
Arguing that a weakness should be included because it will make some whom you
feel have lost some battle feel better isn't the way to develop confidence in
a security standard. And arguing that a security hole is ok because it
probably won't be used much seems equally unpersuasive.
This isn't about "trampling" on anything. It is about creating confidence in a
standard.
Best;
David