|
Re: Agenda, security, and monitoring
2014-02-03 09:31:33
On Mon, Feb 3, 2014 at 10:12 AM, John C Klensin <john-ietf(_at_)jck(_dot_)com>
wrote:
--On Monday, February 03, 2014 09:05 -0500 Theodore Ts'o
<tytso(_at_)mit(_dot_)edu> wrote:
If this is being done via https, and you trust that the CA for
ietf.org is doing a competent job, and *all* CA's and sub-CA's
trusted by your browser are doing a competent job, then this
will basically do what you want, and it doesn't require people
to show up at a PGP signing party. The user experience
becomes that which is needed when you sign up for a Google, or
Yahoo, or any other web site which demands that you prove that
you have a valid e-mail address.
Right. Very weak authentication of individual identity but,
given the above assumptions, decent-or-better authentication of
ownership of keys, addresses, and identity-persistence. Whether
that is good enough depends on one's concerns and attack
scenarios -- for the IETF list, I'd imagine almost no one would
care. And, of course, the requirement of competence by "*all*
CA's and sub-CA's trusted by your browser" doesn't pass a laugh
test these days unless one is paranoid and geeky enough to edit
browser CA lists down to those one actually has reason to trust.
On another list we have pretty much agreed that we are not interested in
checking government issued ID in an IETF context.
Now there are many contexts where checking government issued IDs or
employment badges or the like makes a lot of sense and Comodo is one of
many CAs that support that type of enterprise need. But it is clear that we
are not in that situation here.
So what validation process is there for me to validate against? All I can
see is checking the email address with some sort of callback loop.
One of the reasons S/MIME has taken so long to take off is that people
built the toll booths before the highway. In a world in which everyone is
sending encrypted emails there are many ways for CAs to make money but we
are not yet in that world.
The place where I think the CA industry is best placed to add most value is
on the relying party side rather than the subject. Email trust
infrastructures will necessarily be complex and there will be a need for
those trust infrastructures to be curated.
Very few users are going to be 'geeky enough' to weed out their CA list but
there are companies that will do that for them. And its not just CA lists,
it is working out what key services are worth bothering with, evaluating
webs of trust and the like.
I think there are banks who would very much like to be able to send their
customers end-to-end encrypted email provided that the usability issues
with current offerings are addressed.
--
Website: http://hallambaker.com/
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Agenda, security, and monitoring, (continued)
- Re: Agenda, security, and monitoring, John C Klensin
- Re: Agenda, security, and monitoring, Pete Resnick
- Re: Agenda, security, and monitoring, John C Klensin
- Re: Agenda, security, and monitoring, Bjoern Hoehrmann
- Re: Agenda, security, and monitoring, Brian E Carpenter
- Re: Agenda, security, and monitoring, Phillip Hallam-Baker
- Re: Agenda, security, and monitoring, Brian E Carpenter
- Re: Agenda, security, and monitoring, Theodore Ts'o
- Re: Agenda, security, and monitoring, Phillip Hallam-Baker
- Re: Agenda, security, and monitoring, John C Klensin
- Re: Agenda, security, and monitoring,
Phillip Hallam-Baker <=
- Re: Agenda, security, and monitoring, t.p.
- Re: Agenda, security, and monitoring, Dave Crocker
- Re: Agenda, security, and monitoring, Alessandro Vesely
Re: Agenda, security, and monitoring, Joseph Lorenzo Hall
Re: Agenda, security, and monitoring, Dale R. Worley
|
| Previous by Date: |
Re: Agenda, security, and monitoring, Stephen Kent |
| Next by Date: |
Re: Agenda, security, and monitoring, Phillip Hallam-Baker |
| Previous by Thread: |
Re: Agenda, security, and monitoring, John C Klensin |
| Next by Thread: |
Re: Agenda, security, and monitoring, t.p. |
| Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|