On 22/1/09 16:58, Eddy Nigg wrote:
Supposed you own a car which has the flaw that once in a while the
engine explodes in a huge fireball. Now the vendor of the car knows
about it and recalls all cars for a fix. Otherwise the car vendor would
be liable to any damage their cars may so - specially since he is aware
of the flaw. The public knows about the potential flaw by now already,
and the owners of the car may have heard about it too. Failing to recall
the cars and offering a fix might have consequences.
Yes, good example, and that is how it is done, as far as I know. One
fireball won't get a car recalled. The US department of roads has
published costs for this, where a death is worth such and such an
amount. There is a good article on the cost of deaths, somewhere, I'll
post it if I find it.
Goulishly, if you can't show a profit in deaths, you don't get your
changes done.
Now compare this example to that of the weak keys. And here comes Ian
and says, it's only a theoretical weakness until your car explodes and
you've seen the evidence of damages. Well, boy, go ahead, drive your car
(or weak keys) and thankfully you aren't running a CA.
Sigh. You destroy your own argument. We *all know* but some of us
choose to ignore that driving a car is a very risky thing, and people
die all the time. There are numerous statistics out there, and
unbelievable quantities of information about how dangerous it is to
drive in a car.
Yet we all do it. And, it should be entirely logical that if a chance
of a fireball does not measurably change that risk, then there is no
point in worrying about it overmuch.
However, it is well recognised that even people schooled in sciences and
so forth suspend logic and knowledge and facts the moment they enter a
car. People widely worry about flying far more than driving, even
though the statistics comprehensively trash any notion that flying is
dangerous compared to being in a car.
So in your eyes there would be no reason to disallow MD5 hashes either
since no evidence of damage exists, right?
No, that is different.
1. MD5 is a *protocol* issue,
2. it effects all sites.
3. It is within Mozilla's power to deal with it.
4. It is within Mozilla's responsibility to deal with it.
Published private keys are CA-subscriber-relying-party business and are
the subject of CPSs and audits. This is deliberately outsourced by the
PKI and by Mozilla, and is neither within Mozilla's power nor its
responsibility.
(It is however Mozilla's risk .... and this is where it gets
complicated. Sad to say, Mozilla has not grasped this nettle.)
There are some who believe that Mozilla should have a general ability to
tell a CA what to do. Are you subscribing to that? Right now, Mozilla
can simply ask questions about audits and CPSs and so forth, with an
implied-but-empty threat of dropping from the root list, that's all.
Are you asking for a power -- and responsibility -- beyond that?
The software vendors think
apparently different about it
Well, and I'm ashamed to say it, your point is only right for Mozilla.
According to what I've seen, we are going to be stuck with SHA1 for years.
Others can correct, but as far as I saw last week, but neither TLS nor
Apache httpd/OpenSSL can deal with SHA2, there is some server-side snafu.
(Remember: the MD5 case is exactly the same as the SHA1 case, and only
a few years of cryptanalysis separates them.)
and thankfully you aren't a browser vendor
either...
It is a thankless task no matter who does it. There are always people
who grumble and complain because things aren't to their liking, and
there are always those who prefer to shoot the messenger than think
about the message.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
