Eddy Nigg wrote:
On 11/15/2008 05:18 PM, Ian G:
Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
Not sure why, but your posting arrived just only now...
I was offline / travelling. There is this little lightbulb on the
bottom left side of Thunderbird that we can click, and then the emails
cache up until net is restored.
What is clear is that the name is not really the essence of the process,
it is just one part. So if we are claiming the full essence of getting
people to court, we need to do other things;
We'd rather prefer to remain out of court, but that's the ultimate
option. The fact that identification details are listed in a certificate
usually is a prevention measure itself.
Yes, these things are true statements in and of themselves. However,
they are what we would call "outsiders views" of the law and not
necessarily useful or positive or helpful.
if we are just doing the
Name, we should avoid talking about the courts purpose unless we can
point to the other things as well, and show how it fits in.
But not only the name is validated usually, but address, locality as
well. The street address is many times not listed for non-EV certs, but
it would by court order possible to be disclosed.
Sure. This is the classical approach. Provide more info, and hope that
helps. Just be careful to not claim that is "why" and "the point"
because in court, the other side's lawyer might hold you to it, and ask
some simple questions that might leave your case in tatters.
You can, sure. But would you? Would you dare to masquerade as another
person, and do some harm?
It's not about me, but anybody who dares. Many do as your own junk
folder can provide evidence of. It's the easiest thing in order to
perform fraud.
The people are all rhetorical, sure. Does anyone dare? Most won't.
And those people will be "stopped" because they are being asked to lie
or defraud, and they don't do that, so it is an easy fix.
However, if we are talking about someone who can and will defraud, then
they will also happily defraud to get a cert. Or any of a number of
other things that are needed.
Let's say you do that, and then the summons
arrives to your email address. You see the summons. What are you going
to do?
LOL! That's really naive thinking! Do you really believe that somebody
disguising his identity will bluntly use his own real IP address. :-)
(Actually, yes. This is the most common thing. The number of people
who have exposed themselves doing dirty behaviour and used their own
real IP address in doing it is quite high. Most people don't even know
what it means, and even experts like ourselves have difficulty in
identifying how to protect our IP addresses. E.g., right this very
moment, I don't know if you can trace me from IP address or not. And if
it is a dynamic IP#, likely you can't trace it further anyway.)
But that's not the point. The point is that the way our society works
is that it exposes honest people to a lot of different little steps to
show that they are honest; then we do business. This works, and it
works on the net too. Ebay etc.
In contrast, our societal system doesn't keep out people who are good at
lying to people and defrauding systems.
Certs don't change that. Certs themselves, and current secure browsing,
has little effect on this all. At least one reason: fraud is
complicated, it operates at different layers to crypto, e.g., socially
engineered. Certs try and compress all fraud into a single claim in a
little crypto box. Real fraudsters don't see that they want to be boxed
in by the crypto, so they bypass.
Hence, although your claims may be "true" they may also be "worth nothing."
Do you dare defy the court and not present yourself? If you do that,
then you are toast. If they (a claimant and a real bill gates) come
looking for you and find you, then not only have you committed a species
of deception, you've tried to ignore the courts. Not only is your case
compromised, but you've probably committed something against the court.
The problem is, nobody will ever know that it was me...
Until you make a mistake. Until the court chases you. Until the victim
decides it is his life mission to track you down ... until a whole lot
of things.
Let me give you a real world example: some guy did some evil by using a
nym to spread slander and lies about competitors in a community. After
months of cross-referencing and so forth, we finally found an IP# that
matched to his home address because he had forgotten to change over to
his "hop" that one time ... but it still wasn't good enough because he
said "oh, that might have been my brother, who is psychologically
unreliable..."
But, we eventually matched it by discovering that his laptop keyboard
had a "twitch" in it, and the same twitch was in both emails from him
and from this nym.
Which is to say, real fraud and real anti-fraud is done in different
ways to the way certs see it. It's not an elegant mystery by Sir Arthur
Conan Doyle, but a mundane series of boring facts, a couple of which
reveal silly blunders.
Instead, because you are a wiser person than that, you will simply
appear before the court, and say, "It is I, using that nym, but my real
name is Bob Smith." And the court will proceed to hear the case. At
least in english common law, it is OK to use any name you like, as long
as it isn't for fraudulent purposes.
Or if there aren't such intentions in first place use a validated
digital certificate. These days an unsigned mail should be always
consumed with a grain of salt...
lol... like these ones.
If a claim is made by CAs that the Name is needed to pursue someone in
the courts, this is more or less deceptive.
Ha? Can you explain that? Here some example details strait from a
certificate:
E = [EMAIL PROTECTED]
CN = Eddy Nigg
L = Eilat
ST = South
C = IL
What's deceptive here? Additionally the CA has more information about
the subject such as the address and phone number.
It's not the claims in the cert that are deceptive, it's the claim that
this info could be used to get remedy from some harm that could be done.
I'm sure all the info above is correct, but that doesn't help me get
remedy. Firstly, I already figured out all this info other ways, and
presenting it to me in "certified" form means nothing, adds nothing.
Secondly, I can't seek remedy anyway, because it is too expensive.
E.g, look at Paypal. They don't ask for a certified statement that you
have a bank account, they send you some pennies. That's a real
anti-fraud technique.
If we accept that (and we are in a security market, regulated by audits
and/or vendors) then we should stop making that claim.
There is no claim to stop! The quality of the verification performed may
vary, but as a general rule, a verified certificate is sufficient to
reach the person in question (by court order or else).
Are you making that claim? Is it in your CPS? Is it in anyone else's
CPS? Is it in EV?
Of course a crook
may change address, but courts and law enforcement officials have their
tools to locate somebody sooner or later. Provided that the persona in
question is identified correctly.
OK, try this simple test. Let's say that there is a case to be
answered, and the info is as above. So I file to the court. The court
says, "nope, didn't work." (For any of 100 reasons.) So I've got nothing.
Now, are you insuring that event? As a CA, if you are making a claim
that this will get the guy in court, and it doesn't work out that way,
what will you pay me?
(Or, think about some other maker of claims. What do they pay out when
the claim "this will get you into court with the guy" goes wrong?)
OK. So the principle is that everyone may make their own risk
assessments, whether private or corporate. We may freely decide to
allocate our resources and make our decisions.
As I said, resources which are truly under my control, I may require a
verified identity too! I didn't meant a browser here, but rather other
resources, like a web site or mail server.
Right, it's a principle. It either applies in many circumstances,
broadly and easily, or it isn't a principle.
It would also mean that a vendor was free to experiment and choose
different security models c.f. Gerv's much lamented yellow bar and
Jonathon's 4-click process.
Isn't that what happened really? Not seeing your point.
Yes, this is a hobby horse of mine. It happens but there are people who
believe it has to be done other ways. E.g, the yellow bar is much
lamented, because it was replaced with a "standard" which also comes
with an "all-or-nothing" approach. This reduces the possibilities for
experimentation. Same thing happens with Jonathon's 4-click thing which
is not able to really develop because it is working more with negative
info and assumptions, not with positive info and stored KCM. Same thing
with fixing the basic protocols, which are passed across to PKIX.
Basically, vendors should be free to advance security with changes to
the model. They are not free to do this.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
