On 23.07.2009, at 14:05, Eddy Nigg wrote:
On 07/23/2009 01:23 PM, Udo Puetz:
In other words: is it better to use a little more security easily or
proper security hard to master?
What is a little more security? Something which gives you a warm
fuzzy feeling, worth exactly nothing? I don't have the time to
explain all disadvantages of PGP, but I believe that a web-of-trust
with no oversight and no boot-strapping and no revocation method is
just security theater. That security works until you receive an
email signed by PGP key and counter-signed by another 15 people from
Steve Balmer confirming that you won in the Microsoft award lottery
45 million dollars and all you have to do is transfer 1495 dollars
by Western Union to me.
Right. I'm sure I could make a bunch of people warm and fuzzy by
getting some "tankers" for booze money from Moscow, transfer them to
some funky ex-USSR country or maybe some tropical island, make them
establish "Internet Million Dollar Lottery Inc.", get a www.milliondollarinternetlottery.com
website and a nice green EV certificate and ... collect for one
year, hope that the "tankists" have already died from too much alcohol
and leave to Nigeria.
This is a common way of fraud/scam/money laundry I believe anywhere in
the world. The way "tankists" (there is probably a better term in
English) have been abused is especially common here and in surrounding
countries where I live (Estonia, one of those ex-USSR). For a couple
of bottles of vodka or a few hundred euros you can get a bum, shave
him, wash him, cloth him, take him to the notary and the bank, get all
documents to run the thing, and voila - done. There have been new
money-laundry and anti-corruption laws in Estonia/EU but take some
place like Armenia and you're all set.
What I want to say - if it is the green bar that makes you feel warm
and safe and this is the "trust and security" we've not really
achieved anything.
My conclusion from this is: better use the small part than nothing at
all.
Nope, you are doing your users a disservice by giving them the false
sense of security. In the case of PGP it's certainly not something
for the masses.
Security or trust? PGP or the "web of trust" model works because it
mimics real life social interactions "my friend told me that she ..."
whereas x509 trees represent the "perfect mass" for whom "this is said
and thus so it shall be" is a perfectly OK situation. The green thing
works until a scam like I described will be pulled off and then it
will be like Verisign and Microsoft case.
Why "dumb masses" are needed, I leave as a conspiracy theory test.
Anyway, pointing people again to the nice table @ http://iang.org/papers/fc7.html#model
and looking at the list name (dev-tech-crypto) I assume that this
list talks about layers 1 and 2 and any efforts to change the status
quo should be done somewhere else.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
