On 11/03/2008 08:46 PM, Kyle Hamilton:
Honestly? The concept of "vetting by a third party" really doesn't mean anything to those who choose to deal with things themselves
Because they don't understand the concept. Period.
I don't need to pay a third party to have a random conversation with someone on the street.
Right! Because you most likely don't yell your passwords of your blog, forums or secure codes of your cash card on the street randomly. If you don't have something to say, don't secure...
I don't need to pay a third party to give a flyer to anyone I meet on the street.
Certainly, besides that you don't have to pay either. The issue isn't about payment, it's about depending on somebody else. However the concept of CAs is beyond the openssl command.
I don't need to rely on a third-party "vetting" process to have a random conversation with someone on the street.
Yes! Nobody asked you to secure your unimportant chatters...
I don't even need to ask for a government-issued ID to have a random conversation with someone on the street. And you know what? I DON'T WANT TO.
YOU DON'T HAVE TO! Besides that you recognize somebody on the street - and you very quickly make an assessment if and how much you want to trust that person you just met on the street. Somebody may have or earn your trust even on the street! You can't do that the same way on the Internet. But neither do you have to trust just about anybody on the Internet either...or are you publishing your passwords, bank account numbers etc. on your web site? You don't and neither you would tell it somebody on the street.
I don't want to do this on the web, either. I don't care if you or anyone else thinks that this makes it better for the drooling computer and security-illiterate masses, I choose not to.
Kyle, this is perfectly fine with anybody here at Mozilla and elsewhere! You don't have to secure your web sites, not your email messages, nothing!
I don't get that security dialog if I communicate via plain-text (non-https); if I happen to want to have a private conversation with the same person (the same site and IP), why the hell do I need a third party to step in and say "it's dangerous if you don't have something that I'VE VETTED" (or worse, "it's insanely dangerous if you don't have something that WE'VE VETTED"?)
Of course here we've got the conflict. Why don't you stay with plain text? If you think that something needs to be secured, than do it the right way. Otherwise why secure it in first place? How shall _I_ know that I'm talking to _YOUR_ web site? And if I don't know for certain that this _IS_ your web site, why secure it in first place. All the rest is simply security theater as Nelson used to say...
It's arguably less dangerous to do unauthenticated TLS than non-encrypted web browsing,
Kyle, what nonsense are you talking about. Encryption through a MITM is the same as no encryption at all. Worse, it gives you a sense of security and privacy when in fact there is none.
but the dialog as it's currently implemented arguably destroys any faith in the ability of the computer system to be a tool that we use, rather than a paradigm that controls us. It destroys our ability to trust.
Why? Did the "computer system" lie to you?
And you know what, that's the business that CAs are in, either giving away limited amounts of trust or selling the same. CAs have entirely too much power under the currently dominant paradigm -- they can choose to embed or withhold any X.509v3 extension that they want in the certificates that they issue, and the person they issue them to has absolutely no say in the matter.
Why? Do you want to have CA:TRUE in your certs? Or perhaps e-mail protection, even though the email wasn't validated?
A web certificate, which (at least from GoDaddy and others) includes both "network client" and "network server" extensions, can be used in either capacity -- but it can't be used to sign software packages that people can choose to trust, it can't be used to sign PDF documents, it can't be used for email authentication, it can't be used for anything that isn't explicitly embedded into the certificate by the CA.
Fantastic! That means that the folks at GoDaddy do their job right! Get a code signing certificate for code signing - which has different requirements than web servers and most likely can't be had for twenty bucks, because it requires identity or organization validation.
"Get another browser, then! Build your own from the Mozilla sources! Just don't call it Firefox!"
Feel free - it's open source...
I can hear the cries. Unfortunately, it's just not that simple.
Ahhhh, so there is somewhat more into building a browser and making it popular than the code...
Do YOU want to have to open up another browser, another piece of software to clutter up your taskbar and desktop, just to be able to communicate the same fucking protocol as Firefox? I sure as hell don't.
Nope, why should I? Don't get it...(can't you add an exception for those sites you feel comfortable with?)
Your argument doesn't hold water, Eddy. It's the same argument that Nelson and others (the entire security team) seem to use to justify their interference in everyone's conversations and interactions, their assumption of fiduciary duties without consent from the people who use their software.
Which interference? Getting a certificate doesn't interfere in anybodies conversation or interaction. Be careful of what you accuse me here...
Firefox 2 had an easier-to-navigate security dialog than Firefox 3 (at least 'accept this certificate temporarily for this session' took only one click instead of 4, and all of its information was in a single dialog box).
Right. This concept of the early Netscape days, being taken over by Microsoft's IE, broke the Internet. It made a joke out of encryption and I'm glad that an educational process started with IE7 and FF3 (even though the former is not favorable for the StartCom CA either).
And you know what? The reason why X.509 is completely fucked up the way it's currently implemented has to do with the trust boundaries in place, the insistance that CAs have on "implementing their policies". That's perfectly fine, as long as it doesn't impact me, or come into conflict with my policies, or the policies of those I interact with -- but it does.
Oh well...the lock at the front door of my house also impacts me daily. I could remove the lock, but I prefer to leave it there for now...
I'm not perpetrating fraud, I'm not doing anything illegal -- I'm just ensuring that my right to free expression doesn't bleed through to cause me problems with (for example) employment. (Would a bank hire a manager who wrote erotic fiction in his or her spare time? Probably not, if the bank knew about it. And the bank would probably fire said manager if they found out.)
So?
As a matter of information security, there are several aspects of this: 1) How do I know that any given CA has enough internal controls to ensure that none of its identity-vetting employees is going to perpetrate identity fraud on me?
This is a good question - really the first sane thing I read in your rant here. Supposed that all CAs have undergone a third party audit, those aspects are dealt with to a reasonable extend. But it's also a trust thing, isn't it? Choose the CA your trust the most.
2) Why the hell does ANY CA need to know who I am?
That's another good question. Subscribers are usually bound to some obligations (called Subscribers obligation). However they can hardly be enforced if the subscriber remains anonymous. Hence in order to implement and govern the CA policy, CAs should know who you are.
Is there some secret requirement that I'm not aware of that says that the CA has to turn over to any given government or auditor (and are there internal controls sufficient there?) all the identity paperwork it has on any given person with any given public key?
Auditing (and examining the audit trail) is an important part of the third party audit CAs undergo. I can share with you that at our latest audit we refused to have any material of our subscribers copied or removed from our systems - except for a few examples for which we requested permission by the affected party. All other audit samples were performed and examined on spot without handing over any information not publicly available otherwise (like identity paperwork). However the controls over those documents were examined. Needless to say that the auditor themselves are bound to an NDA too.
3) Why do I have to disclose all aliases that I have so that they can all be embedded into a single certificate? Or, why do I have to make part of the publicly-subpoenable record my identity information and any one or more handles that I might use?
I don't think you have to do that.
4) What right does anyone have to say that I or anyone else must use a third-party vetting service, for any reason at all under the sun?
Don't! Did somebody force you? The browser vendor decided that MITM attacks is a bad thing for the majority of their users - it's up to you to secure your web site or not.
5) Perhaps most importantly, why can't I find a CA that will actually issue a certificate to an alias?
What is an alias? Is an email address an alias? Could an email address be an alias? I think so...
I am being harmed, demonstrably, by this policy, because you and everyone who you've whispered into the ear of seems to think it's a given that anyone who has nothing to hide shouldn't fear identification. This viewpoint is pure and unadulterated bull flatulence -- psychic methane. It's poisonous, it leads to a self-centered "I know better than you do what you need to do and what you need to know and what you need to demand, and if you don't demand it I'm going to demand it for you EVEN IF YOU DON'T GIVE ME YOUR PERMISSION TO DO SO" viewpoint that is would be absurd if it weren't so damaging.)
I don't get your point. Seriously. Do what you want - I don't care either...
Nicknames have reputation. Identities have reputation. Go read http://www.identityblog.com/stories/2004/12/09/thelaws.html -- this is someone who I haven't interacted with, someone I didn't know wrote on the topic when I realized the problem. I only stumbled on this particular blog about a year or two ago, after I started realizing that each of us have different groups of people we socialize with, different identities that we use in our day to day lives. It might work for some people to have a single identity that they use everywhere -- but it doesn't work for everyone, and I'm one of those it doesn't work for. Unfortunately, the people who think that "there is only One True Identity, And That Is The Legal Identity" seem to have a hard-on for trying to ram their worldview down everyone's throat. Including mine, and the people I interact with.
For legal stuff you need legal identities. This is what CAs may confirm (not necessarily with email / domain validated certificates). It matters for stuff which need to be legally binding - usually involving some contractual agreement. It doesn't for everything else. Now what's the problem again? Having to validate a domain name at a third party CA? :S
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
