Re: pgp signing in van
2013-09-07 10:42:07
On 9/6/2013 10:35 PM, Melinda Shore wrote:
One of the useful things that PKI provides is some agreement,
at least, about what we expect from certification authorities
and what it means to issue and sign a certificate. That is
to say, the semantics are reasonably well sorted-out, which is
not the case with pgp.
Melinda
Much of the discussions also deals with how protocol implementators,
i.e., mail, browser, routers market, has added these as features. Are
they secured out of the box?
For example, the browser market has recently began to enable OCSP
(Online Certificate Status Protocol) out of the box. Is this good or
bad? Is this further violation of privacy? an ethical concern. Is it
more 3rd party tracking, monitoring with a good security purpose?
Add the same concept to the address bar searching methodologies that
are now also enabling the out of the box for further 3rd party search
and tracking path.
Add to that Javascript, 3rd party cookies and cross domain
communications, once a major taboo, is now enabled out of the box.
The enabling of "ping home" and "cross talking" ideas across the
board, it is all enabled now.
Overall, we lost the focus of private by design with this exploding
need to socialize and share information mentality. Its not end to end
any more. Its an OPT-OUT, not OPT-IN mentality. The market is
allowing it to happen, is it because they are aware of this and a made
a choice or they don't even know it was even an issue?
The IETF methodology needs to be revamped to lead the way ago, take
more charge of not being so relaxed in its security aspects towards
communications protocols. Consolidation of information is a start.
We knew since the beginning of SMTP how it was well known the SMTP
(821) sender/return path was not secured. Too much spoofing
potential, yet it was written in stone in RFC2821 not to hurt a useful
feature because of an ignorant bad guy. Well, we finally recognized
the bad guy was no longer ignorant by RFC5321. It took nearly a score
of years to begin to address it, we have SPF for example, we have DKIM
too.
And even then, we are still too relaxed. I have always called for
strong exclusive end to end, i.e., SPF -ALL, policies when possible.
ADSP for DKIM, etc.
But overall, we allowed too much security relaxation into the
protocols, making it them work with much lower payoffs and much more
waste on the system. We passed the buck to others and the future to
address these well known issues. Too much time wasted.
The IETF can do better to lead the way.
--
HLS
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: pgp signing in van, (continued)
- Re: pgp signing in van, Hector Santos
- Re: pgp signing in van,
Hector Santos <=
- Re: pgp signing in van, Michael Richardson
- Re: pgp signing in van, Ted Lemon
- Re: pgp signing in van, Peter Saint-Andre
- Re: pgp signing in van, Hector Santos
- Re: pgp signing in van, Peter Saint-Andre
- Re: pgp signing in van, Cyrus Daboo
- Re: pgp signing in van, Peter Saint-Andre
- Re: pgp signing in van, Richard Barnes
- Re: pgp signing in van, Scott Brim
- Re: pgp signing in van, t.p.
|
|
|