Honestly? The concept of "vetting by a third party" really doesn't mean anything to those who choose to deal with things themselves, and it especially doesn't mean anything to those who believe that the fundamental concept of X.509 certificates, as applied by the people who developed the SSL protocol, is fundamentally fucked up.
I don't need to pay a third party to have a random conversation with someone on the street. I don't need to pay a third party to give a flyer to anyone I meet on the street. I don't need to rely on a third-party "vetting" process to have a random conversation with someone on the street. I don't even need to ask for a government-issued ID to have a random conversation with someone on the street. And you know what? I DON'T WANT TO. I don't want to do this on the web, either. I don't care if you or anyone else thinks that this makes it better for the drooling computer and security-illiterate masses, I choose not to. I don't get that security dialog if I communicate via plain-text (non-https); if I happen to want to have a private conversation with the same person (the same site and IP), why the hell do I need a third party to step in and say "it's dangerous if you don't have something that I'VE VETTED" (or worse, "it's insanely dangerous if you don't have something that WE'VE VETTED"? It's arguably less dangerous to do unauthenticated TLS than non-encrypted web browsing, but the dialog as it's currently implemented arguably destroys any faith in the ability of the computer system to be a tool that we use, rather than a paradigm that controls us. It destroys our ability to trust. And you know what, that's the business that CAs are in, either giving away limited amounts of trust or selling the same. CAs have entirely too much power under the currently dominant paradigm -- they can choose to embed or withhold any X.509v3 extension that they want in the certificates that they issue, and the person they issue them to has absolutely no say in the matter. A web certificate, which (at least from GoDaddy and others) includes both "network client" and "network server" extensions, can be used in either capacity -- but it can't be used to sign software packages that people can choose to trust, it can't be used to sign PDF documents, it can't be used for email authentication, it can't be used for anything that isn't explicitly embedded into the certificate by the CA. "Get another browser, then! Build your own from the Mozilla sources! Just don't call it Firefox!" I can hear the cries. Unfortunately, it's just not that simple. Do YOU want to have to open up another browser, another piece of software to clutter up your taskbar and desktop, just to be able to communicate the same fucking protocol as Firefox? I sure as hell don't. But more importantly, /I also don't want to have to support people who want to have a private conversation with me to the point of having to tell them to download and install another piece of software on their computers just to enable a conversation/. I'm already having major problems trying to find a single piece of software that works for instant messaging and video chats and audio chats. Your argument doesn't hold water, Eddy. It's the same argument that Nelson and others (the entire security team) seem to use to justify their interference in everyone's conversations and interactions, their assumption of fiduciary duties without consent from the people who use their software. Firefox 2 had an easier-to-navigate security dialog than Firefox 3 (at least 'accept this certificate temporarily for this session' took only one click instead of 4, and all of its information was in a single dialog box). I'm sick of having to deal with this shit. And you know what? The reason why X.509 is completely fucked up the way it's currently implemented has to do with the trust boundaries in place, the insistance that CAs have on "implementing their policies". That's perfectly fine, as long as it doesn't impact me, or come into conflict with my policies, or the policies of those I interact with -- but it does. I have a need to segregate various groups of colleagues and friends and associates that I have, just to make my life a bit easier. I'm not going to give you all the entire list of nicknames that I have, or when I used them, just to prove a point -- I will just state that I have several nicknames, several handles, several groups of people I interact with that I have reason to not know about each other. I'm not perpetrating fraud, I'm not doing anything illegal -- I'm just ensuring that my right to free expression doesn't bleed through to cause me problems with (for example) employment. (Would a bank hire a manager who wrote erotic fiction in his or her spare time? Probably not, if the bank knew about it. And the bank would probably fire said manager if they found out.) As a matter of information security, there are several aspects of this: 1) How do I know that any given CA has enough internal controls to ensure that none of its identity-vetting employees is going to perpetrate identity fraud on me? 2) Why the hell does ANY CA need to know who I am? Is there some secret requirement that I'm not aware of that says that the CA has to turn over to any given government or auditor (and are there internal controls sufficient there?) all the identity paperwork it has on any given person with any given public key? Is there any guarantee that there won't be such a requirement in the future, retroactive to now? (hint: the answer is "no".) 3) Why do I have to disclose all aliases that I have so that they can all be embedded into a single certificate? Or, why do I have to make part of the publicly-subpoenable record my identity information and any one or more handles that I might use? 4) What right does anyone have to say that I or anyone else must use a third-party vetting service, for any reason at all under the sun? 5) Perhaps most importantly, why can't I find a CA that will actually issue a certificate to an alias? Oh, right, because they can't meet the criteria for inclusion in Firefox or Apple's root certificate program or Microsoft's root certificate program or Opera's root certificate program or anyone else's for that matter. Conversely, the people I'd want to talk with have a problem as well. If they know me by a given handle in a given context, how the hell are they supposed to figure out who they're talking with when they're presented with a certificate that only contains my legal name, with no additional identity binding? (In the US, we have this thing called "the right of free association". As long as no crimes are being committed, we have the right to participate anonymously or pseudonymously without having to bind our legal identities to our interactions. I don't know if this is something you have in Israel, and frankly I don't care. I am being harmed, demonstrably, by this policy, because you and everyone who you've whispered into the ear of seems to think it's a given that anyone who has nothing to hide shouldn't fear identification. This viewpoint is pure and unadulterated bull flatulence -- psychic methane. It's poisonous, it leads to a self-centered "I know better than you do what you need to do and what you need to know and what you need to demand, and if you don't demand it I'm going to demand it for you EVEN IF YOU DON'T GIVE ME YOUR PERMISSION TO DO SO" viewpoint that is would be absurd if it weren't so damaging.) Nicknames have reputation. Identities have reputation. Go read http://www.identityblog.com/stories/2004/12/09/thelaws.html -- this is someone who I haven't interacted with, someone I didn't know wrote on the topic when I realized the problem. I only stumbled on this particular blog about a year or two ago, after I started realizing that each of us have different groups of people we socialize with, different identities that we use in our day to day lives. It might work for some people to have a single identity that they use everywhere -- but it doesn't work for everyone, and I'm one of those it doesn't work for. Unfortunately, the people who think that "there is only One True Identity, And That Is The Legal Identity" seem to have a hard-on for trying to ram their worldview down everyone's throat. Including mine, and the people I interact with. And I'm sick of it. -Kyle H On Mon, Nov 3, 2008 at 6:40 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote: > On 11/03/2008 03:40 PM, David Stutzman: >> >> http://www.cs.uml.edu/~ntuck/mozilla/ >> >> I think we covered this before and he misses the fact that there are free >> alternatives out there like StartSSL that I use (Thanks Eddy!). >> > > You are welcome, Dave! Even though we receive a lot of credit and many > encouraging and thankful email messages, it doesn't happen so often > publicly. Thanks for that. > > Indeed this subject has been covered extensively in blogs and at Bugzilla; > it's hard to convince somebody otherwise who doesn't see the value in the > vetting by a third party. Not much to do here...except point to > https://bugzilla.mozilla.org/show_bug.cgi?id=460374 > > PS. How about using your StartSSL client certificate for your email (I > suppose you received one during registration)? :-) > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
