Hi Julien,
to address your very relevant points:
On 9/1/09 21:05, Julien R Pierre - Sun Microsystems wrote:
Ian,
Ian G wrote:
If you follow the KCM logic, you would have to give an application
warning, which is completely unwarranted under current standards.
If the new cert is unauthentic, then it would cause some form of alert
that would be entirely warranted. Currently, a false cert will slip
through without any change.
For what definition of false ?
Indeed a good question. Who do we ask? And if we get it wrong and do
not alert for a false cert, we have really caused a problem....
Who takes responsibility for Mozilla getting it wrong?
This is why high security systems in active areas *always include the
end-user*. It's kind of a law of security, and it's one that "secure
browsing" breaks.
Right. But look at the end-user's question in another thread. It isn't
being answered. The issue here is that Firefox is acting like a
blackbox, and can't be seen inside. The equation is too complex.
Well, that black box is still open source and you can still tell what
it's doing if you care about every level of detail.
Open source is only open to developers; Which is convenient for
developer-led organisations like Mozilla, but pretty much closed to
anyone else.
Just like audit reports, really.
If the answer is, "use the source, luke" then this is the same as saying
"we don't talk to anyone but our fellow jedi."
(Not sure what happened after that in the movies, but it was pretty
exciting, and it took many new releases to sort out :)
Were you following the threads of December? Approximately three cases
of trickiness. I'm not saying that the PKI is about to meltdown, but
some of the flaws in the system that we've know for a long time became
apparent. And no solution in site, except more of the "trust me"
rhetoric.
I have been reading most the december threads this week as I came back
from vacation. Not every line, but most. And I have to agree that some
CAs are broken. And in those cases, the solution may be to distrust as wel.
It was a lonnnnnggg... thread and came at the wrong time.
It is policy, more or less, that end-users don't get to trust a
particular CA. They only get to trust Firefox's black box magic, and
if they lose, they lose. Just how inspiring is that?
You have to come up with a default. Any default list of CA certs is
better than none.
That's fine. The question here is not about whether the default exists,
but whether there are options to change the default; and whether those
options are made deliberately hard ("because average users will screw
them up") or whether they are made easier and more effective ("average
users can be warned away, support people can start to train them").
Where do you expect the average user to obtain the
list of CA certs they want to trust externally ?
Same place they do in every standard place in life. Support people, the
market, opinion leaders, the brands, TV, chatrooms, newspapers, the
corner shop, society, gossip circles.
I know this is anathema to the core developers who believe that they can
do great stuff with open source; but unfortunately, only some things
can be done with code. Complex things require human interaction.
Security is complex by definition, because it includes an active
attacker. If you do not include the end-user, then the result is
brittle; it works for a while, then stops.
It is policy, more or less, that *any* CA's cert is good.
Not at all. That's why there is a Mozilla CA policy, and some CAs are
shut out. You need to have at least some audits. Not saying that those
are perfect - obviously they can miss things, but they are usually still
better than nothing.
Right, I meant, any CA in the root list.
This is why we also had a fierce debate about dropping a CA from the
root list. My simplistic claim: no CA can be dropped from the root list.
That's why we are having a fierce debate about how useful the audit is.
My simplistic claim: it depends!
What does that do to the model?
If the audits are worthless, then there is a
problem and better auditors need to be found ...
Broader defence of the humble auditor, in other post.
It is policy, more or less, that nobody accepts the responsibility for
this.
Do you believe in all that?
No, it shouldn't be. Certainly the CAs should accept some responsibility
for the certification services they offer and charge for.
This is why I say: the industry standard is to set liability to zero.
WebTrust agrees. Audit reports implicitly maybe confirm it for you.
RPAs are written in english, and at least one popular CA makes it very
exceedingly clear. It's the first loud paragraph.
(Things have changed a little under EV, but if possible, let's establish
the standard before we look at how EV changes things.)
I believe some
do contractually.
Please, let's see those contracts ?!
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
