On 11/30/2008 01:09 AM, Kyle Hamilton:
Kyle, I must say that I found this particular message highly interesting! Allow me to respond only on some subjects you've touched which were of particular interest to me...
This is why I've been in favor of unobtrusive pop-ups (rather like Growl notifications on the Mac). There are only a couple of pieces of information truly necessary for any security UI... who it's from, who says it's from the person it's from, who (ultimately) has been deemed acceptable to provide that kind of information, and whether it's been modified in transit. i.e., certificate subject, certificate issuer, issuer's root authority, and hash-match.
We've been discussing this previously, I just want to point out that for S/MIME the UI can be much less intrusive since S/MIME has been much less misused so far and most users using it have a better knowledge generally. That's the front-side of the coin - the same coin of not having a high adoption rate perhaps. BTW, I wonder if there are any reliable studies concerning that claim anyway.
But the threats for web sites are currently different then for email, basically because MITMs (and phishing) of web sites are more attractive right now. Having said that, I believe that many people send routinely high valuable information unsecured via email - much higher in value sometimes than some credit card details or so...
... my personal email PIN is the same as my business email PIN is the same as my business contract-signature PIN. (And if you ask me why I have my business contract-signature key at home... haven't you ever worked from home?)
Why don't you simply use different smart cards instead?
Since Skype happens to be this big bad confusing pile of steaming crud, and since Eddy's using it to enable a red herring attack, I'm going to ignore it. (Hint: Eddy, just because someone else chooses not to do things that you've done doesn't mean they're automatically useless or harmful. I have not seen evidence of Skype being misused, so I will not raise my voice to decry them -- even though you aren't seeing evidence of Skype having done an audit, and are raising the hue and cry based on that. Also, there is nothing wrong with Skype holding private keys, even if they're not an escrow service. All Skype needs to do is ensure that they're only being used on behalf of the account that they're assigned to.
Kyle, I personally also use Skype in addition to Jabber/XMPP and have nothing against it. However I must make a stance if their security model is touted as the solution to all evil, because it's not. First of all Skype is a centralized system compared to decentralized systems like the web, email, Jabber and others. There is an inherent difference between those. Second, one must know the facts and evaluate the risks of Skype having all the control. I don't care if Skype is encrypted or not, because I don't have enough information nor control about any of those aspects. Hence I'm treating it basically as an insecure transport - with some encryption layer put on top.
However I wouldn't use Skype for the exchange of critical or confidential messages and files. Nor can this approach be applied to the web or email or any other decentralized network, otherwise you'd need from now on use only ONE email server handling all your mail and that of those who interact with you (e.g. all those who will want to send you email will have to have an account at the one-and-only mail server you are using. In this context, some similar scheme might be applied.)
Also: I hereby put forth that Startcom is not "free". It derives monetary benefit from the personal information that it demands of anyone before they're ever approved to become users of the system.
Kyle, you must be very careful about what you are accusing StartCom of!!! Let me explain to you the following:
StartCom provides some certification services for free as in free beer. StartCom isn't a "free" system and never will be. Because certification authorities have generally not much to do with "free", besides the potential fees, but quite the opposite. Actually there is almost nothing "free" in about anything related to CAs - I'm talking as an operator of a CA and from my point of view. "Free" you can find outside of the CA framework much easier...
Concerning StartCom's requirement for registration: StartCom has NEVER, EVER disclosed to any third party any details about its subscribers, NEVER used or misused subscriber information to promote its own products or that of others. StartCom are such suckers, they never sent out even one email encouraging its own subscribers to buy one of their paid products or upgrade to a paid product or service (I'm certain that CAs like Godaddy do that routinely) [*]. StartCom has a company wide policy and a CA policy regulating the use of all subscriber information clearly We are very well aware of the special responsibility we took upon us in everything we do at the CA and NEVER used or misused our position in any way. The only exceptions are court orders and presentations in a summarized form to potential investors and partners.
Now, since StartCom must enforce adherence to the StartCom Certification Policies by all subscribers, the subscriber must provide his/her personal information during registration. For anybody this requirement might present a problem I suggest to head over to a different CA. (Just have your credit card ready).
I'd rather ask this question: "What do the users need that can have partial or total solutions implemented using the technologies that have been developed?"
Or, how to educate the masses to use the technologies which have been developed and deployed. I've increasingly come to the conclusion that the problem is educational (or training as you stated in the first part of your mail) and the inability of the technology people to speak non-geek.
[*] I'm certain that there are some on this list which can confirm that statement from personal experience.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto