PDA

Bekijk Volledige Versie : Re: International Domain Name [IDN] support in modern browsers allows



Gwendolynn ferch Elydyr
15/02/05, 23:15
On Tue, 15 Feb 2005, bkfsec wrote:
> The difference between CAs and the BBB is that the BBB is well known and
> highly accountable. CAs are not necessarily.
> There is no widely screened public discussion or understanding of the
> function of CAs. The accepted root CAs do their jobs on the browser entirely
> in the background. Their "seal of approval" is considered implicit by the
> lack of a message at all.

The BBB is certainly well known, but describing it as highly accountable
is certainly inaccurate. A quick web search will inform you that the
BBB has local 'affiliates', and that the quality of these 'affiliates'
can vary dramatically from location to location.

There's no widely screened public discussion or understanding of the
function of the BBB - and their seal of approval certainly appears on
sites and businesses they've never heard of.

cheers!
================================================== ========================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."

bkfsec
16/02/05, 00:45
Gwendolynn ferch Elydyr wrote:

> On Tue, 15 Feb 2005, bkfsec wrote:
>
>> The difference between CAs and the BBB is that the BBB is well known
>> and highly accountable. CAs are not necessarily. There is no widely
>> screened public discussion or understanding of the function of CAs.
>> The accepted root CAs do their jobs on the browser entirely in the
>> background. Their "seal of approval" is considered implicit by the
>> lack of a message at all.
>
>
> The BBB is certainly well known, but describing it as highly accountable
> is certainly inaccurate. A quick web search will inform you that the
> BBB has local 'affiliates', and that the quality of these 'affiliates'
> can vary dramatically from location to location.
>
> There's no widely screened public discussion or understanding of the
> function of the BBB - and their seal of approval certainly appears on
> sites and businesses they've never heard of.
>
>
Well, I meant more accountable than CAs are. I still think that that
statement is accurate if you take my meaning.

-Barry

bkfsec
16/02/05, 00:55
Thor (Hammer of God) wrote:

>
> Of course the CA has to gain the trust of the users... There are many
> uses for client-based certificates: code signing, user verification,
> email encryption, automatic mapping of user account to personal
> certificates, blah blah blah. The business model of commercial CA's
> is most certainly not limited to server operators only. While
> personal certificate stores come with pre-trusted root certificates
> from many CA's to automatically trust many server-based functions,
> there is a vast market for client certs.
>
Yes, and how many average users do you know of who know this?

I know quite a number of average users and know of absolutely 0 who
would be aware of this.

-Barry

Sebastian
16/02/05, 01:05
A quick (and very non-scientific) thought: Do you have trust in the
issuer of your CC?
Do you trust a shop that has "Your major CC accepted" posted on the door?
Do you trust someone that can't provide the means to verify that trust,
with or without the sign?
Do you, as an average tourist, even know how you could check it?

I would think that the answer lies in one of those questions..

-Sebastian




Thor (Hammer of God) wrote:

>>> Nonsense. The CA is asking for your trust and can only earn revenue
>>> based
>>> upon the number of people who trust it.
>>
>>
>> Wrong. The CA gains trust because it manages to get its certificate
>> included
>> with the default package for major browsers.
>>
>> It then has to persuade its customers (the server operators) to buy a
>> certificate. It does not have to persuade any user: trust is already
>> implied by the bundling.
>
>
> Of course the CA has to gain the trust of the users... There are many
> uses for client-based certificates: code signing, user verification,
> email encryption, automatic mapping of user account to personal
> certificates, blah blah blah. The business model of commercial CA's
> is most certainly not limited to server operators only. While
> personal certificate stores come with pre-trusted root certificates
> from many CA's to automatically trust many server-based functions,
> there is a vast market for client certs.
>
> T




--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 14/02/2005

George Capehart
16/02/05, 21:45
bkfsec wrote:
> Scott Gifford wrote:
>
>>
>> My understanding of the business model was similar to an organization
>> like the Better Business Bureau; the customers are the ones paying to
>> be certified, because being certified gives them some extra
>> legitimacy. BBB is able to do this because they have built up public
>> trust; essentially they're a reseller of public trust. If they do a
>> poor job of screening, it reflects poorly on their customers, and
>> trust in them is reduced.
>>
>> CAs serve a similar function. If they have no public trust, what do
>> they have to sell? Surely people don't pay them 50-100 bucks for the
>> 5 seconds of CPU time it takes to sign the certificate...
>>
>>
>>
> The difference between CAs and the BBB is that the BBB is well known and
> highly accountable. CAs are not necessarily.
> There is no widely screened public discussion or understanding of the
> function of CAs. The accepted root CAs do their jobs on the browser
> entirely in the background. Their "seal of approval" is considered
> implicit by the lack of a message at all.

Ermmmmmm. Well, yes and no. CAs publish CPSs (Certification Practice
Statements). The purpose of the CPS is to provide: a) and auditable
statement of what the CA does when it certifies a public key at a given
level. If one doesn't like what one sees in the CPS, one doesn't need
to accept keys certified by that CA. It is up to the relying party (the
entity which needs to decide whether or not to accept a key) to read the
CA's CPS(s). The problem with PKIs is that 99.99999% of the people who
use public key cryptography are absolutely clueless when it comes to
understanding the technology, its applications or how to use it.
*/Theoretically/* CAs have *real* liabilities. BBBs don't. Having said
that, after reading the fine print in the CPSs, most disclaim things to
such a point that nailing them for anything real would not be worth the
effort . . .

See http://www.schneier.com/paper-pki.html for more info . . .

Cheers,

/g

bkfsec
16/02/05, 23:05
Gwendolynn ferch Elydyr wrote:

>> Well, I meant more accountable than CAs are. I still think that that
>> statement is accurate if you take my meaning.
>
>
> Actually I don't take your meaning. I'd appreciate it if you could
> spell out why you think that one organization paid to provide trust is
> different from another organization paid to provide trust.
>

Simple: relative physical location.

The local BBB is accountable to local laws. CAs are spread throughout
the world and are global in nature. As a member of a local community, I
can choose to familiarize myself with those regulations, understand
them, and use them against the BBB if they violate their trust. I can
also choose to go on a crusade against the local BBB.

Listen, I'm sure that you have a bone to pick with the BBB and I have no
quarrel with that. My point isn't that the BBB is a reputable, great
organization (I don't really believe that it is). My point is that the
CAs aren't trustworthy in that way and are even less trustworthy in my
view than the BBB.

I think that deep down we're agreeing on the point that they're
inherently untrustworthy. My point in saying "if you take my meaning"
was to hi-light that rather than focus on this relatively minor
nitpicking of point. I'm not the first one in this thread to bring up
the BBB. So take your point up with the person who did bring it up, please.

-Barry

Gwendolynn ferch Elydyr
16/02/05, 23:15
On Wed, 16 Feb 2005, bkfsec wrote:
> The local BBB is accountable to local laws. CAs are spread throughout the
> world and are global in nature. As a member of a local community, I can
> choose to familiarize myself with those regulations, understand them, and use
> them against the BBB if they violate their trust. I can also choose to go on
> a crusade against the local BBB.
>
> I think that deep down we're agreeing on the point that they're inherently
> untrustworthy. My point in saying "if you take my meaning" was to hi-light
> that rather than focus on this relatively minor nitpicking of point. I'm not
> the first one in this thread to bring up the BBB. So take your point up with
> the person who did bring it up, please.

Actually I'm just trying to be explicitly clear about the path that
you're using for trust. The BBB just happens to be the example that
you'd used as an organization that you'd trust more than your average CA.

As I'm reading you, you're saying that you:

(1) trust establishments that you can see and touch more
than you trust establishments that you can't see or touch.

(2) trust establishments that are bound by a legal system that
you're familiar with more than establishments that are bound
by a legal system that you aren't familiar with.

IMHO the question is more about what your particular grounds for trust
happen to be than whether CAs are all/partially/not trustworthy - or
if the BBB in your area happens to be trustworthy.

Personally I'd really debate the concept that physical proximity is
in any respect grounds for trust - and that familiarity implies the same.

I'd be far more inclined to suggest using consistent long term behaviour
as a predictor - and implementing a system where significant incentives
towards desired behaviour exist.

cheers!
================================================== ========================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."

bkfsec
16/02/05, 23:25
Thor (Hammer of God) wrote:

>
> The number of people that you know (or who I know) that are aware of
> the uses for client
> certificates is not what drives commercial certificate authority business
> models. The simple fact of the matter is that user-level
> certificates are an important part of the commercial certificate
> authority plan, and becoming more and more so as your "average" users
> become aware of certificate applications.

Actually, the number of people who are aware of the functioning and
usage of certificates is very important to the web of trust and, as
such, the business model. The "trustworthiness" of the CA is only
affected if enough people refuse to accept their certificates.


>
> When I got my NIC handle untold years ago, only 561 other humans had
> one. Your logic would preclude getting one in the first place, since
> no one knew they existed at the time. When SSL certs were first being
> created commercially, how many server operators did you know that had
> one? How many do you know now? It's the same thing with client
> certs, and the logic stands that certificate applications apply to
> them as well; particularly in regard to the business and marketing
> models various certificate authorities are running their business by.
> That was the point.
>
No - implying that my logic implies anything itself implies that I made
a recommendation against certification. I did no such thing.

The CAs have many uses and the way that they are used right now is
good. However, the question is whether you can trust them to moderate
IDN or any other site as trusted authorities.

My proposition is that the argument that they (and their associated webs
of trust) are inherently trustworthy because of external pressures is a
flawed assumption because they do not have the proposed level of
pressure applied to them since most of the people affected by their web
of trust don't understand it.

Until the average person can read and understand certs, my point stands.

-Barry

Gwendolynn ferch Elydyr
16/02/05, 23:25
On Tue, 15 Feb 2005, bkfsec wrote:
>>> The difference between CAs and the BBB is that the BBB is well known and
>>> highly accountable. CAs are not necessarily. There is no widely screened
>>> public discussion or understanding of the function of CAs. The accepted
>>> root CAs do their jobs on the browser entirely in the background. Their
>>> "seal of approval" is considered implicit by the lack of a message at all.
>>
>> Gwendolynn commented:
>> The BBB is certainly well known, but describing it as highly accountable
>> is certainly inaccurate. A quick web search will inform you that the
>> BBB has local 'affiliates', and that the quality of these 'affiliates'
>> can vary dramatically from location to location.
>>
>> There's no widely screened public discussion or understanding of the
>> function of the BBB - and their seal of approval certainly appears on
>> sites and businesses they've never heard of.
>>
>> bkfsec retorted:
> Well, I meant more accountable than CAs are. I still think that that
> statement is accurate if you take my meaning.

Actually I don't take your meaning. I'd appreciate it if you could
spell out why you think that one organization paid to provide trust
is different from another organization paid to provide trust.

cheers!
================================================== ========================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."

bkfsec
17/02/05, 04:35
David Schwartz wrote:

>>My proposition is that the argument that they (and their associated webs
>>of trust) are inherently trustworthy because of external pressures is a
>>flawed assumption because they do not have the proposed level of
>>pressure applied to them since most of the people affected by their web
>>of trust don't understand it.
>>
>>
>
> They don't have to. I don't understand how my supermarket gets their meat,
>but I trust them to use safe sources because I know that if they didn't
>those who do understand would tell me, and then I'd figure out a way to
>avoid it.
>
> No CA wants to find out what market forces will appear as soon as they
>prove to be untrustworthy. There are already many vehicles for immediately
>deploying blacklists. For example, Symantec could release an update for any
>of their security products that removed a root CA. It wouldn't take more
>than a small percent of web users to have a problem with a CA before people
>wouldn't want their certificates to be signed by that CA.
>
>
>
Symantec wouldn't do this. The backlash they would recieve from angry
users alone would be enough to discourage it, nevermind the potential
for legal problems.

Comparing CA accountability to meat sales isn't a valid analogy.
Obviously, the CAs don't want to be regulated, but trusting them because
of this is a bit like saying that business owners would never short-pay
an employee because of fear of what the employees would do.

It's also like saying that corporations never form trusts and price fix
for fear of the consumer.

Obviously, both of these assumptions are wrong and the assumption
regarding CAs is also wrong. The fact that it is assumed in the first
place is *the problem*.

Also, the fact that the CA market is competitive only further muddies
the waters. Not all CAs are in the same country and their competition
forces them to be price-competitive. This reduces the priority of being
responsible. Or, to use your meat analogy, mass-produced meat tends to
be of a lower quality than individually produced meat products,
particularly in unregulated countries.

People who think that the market will inherently protect them have been
reading too much Ayn Rand and need to step away from the
fiction-proposed-as-fact isle. No offense meant by that - it's said
tongue-in-cheek. :)

-Barry

Seth Breidbart
17/02/05, 10:05
[BBB vs. CA]

Gwendolynn ferch Elydyr <gwen@reptiles.org> wrote:

> Actually I don't take your meaning. I'd appreciate it if you could
> spell out why you think that one organization paid to provide trust
> is different from another organization paid to provide trust.

Some are more competent than others.

In this case, neither is worth anything.

The CA says at most "They verified ownership of a domain at a very low
standard of proof." The BBB says "They pay us and they responded to
all complaints and said they did the right thing."

Neither of them is on the hook for having bad customers, nor will
either be likely to say bad things about its customers (which are
those who pay it).

Seth

Benjamin Franz
17/02/05, 23:25
On Wed, 16 Feb 2005, David Schwartz wrote:
>
> Correct. And the browser vendors gain trust because they only include
> reputable CAs.

Ummm.

No.

'They' (to a good first order approximation: 'Microsoft') are 'trusted'
because 'they' own 90% of the browser market following the abuse of a
desktop OS monopoly to force their applications competition out of the
market.

Defaults are power.

--
Benjamin Franz

"All right, where is the answer? The battle of wits has begun.
It ends when you click and we both serve pages - and find out who is right,
and who is slashdotted." - David Brandt

Stefan Paletta
17/02/05, 23:35
Sebastian wrote/schrieb/scripsit:
>A quick (and very non-scientific) thought: Do you have trust in the
>issuer of your CC?
>Do you trust a shop that has "Your major CC accepted" posted on the door?
>Do you trust someone that can't provide the means to verify that trust,
>with or without the sign?
>Do you, as an average tourist, even know how you could check it?
>
>I would think that the answer lies in one of those questions..

The key difference between a CA and a CC company is that the latter
takes part in the actual business transaction between the parties.
The customer does not have to trust the CC company to certify the shop
because he can demand the CC issuer to do a chargeback with almost no
questions asked.

The CC system also works in a way that is safe as long as customers
apply common sense, which they are expected to do. It still needs to be
figured out how to make common sense work for public key crypto on the
other hand.

-Stefan
--
junior guru SP666-RIPE JID:stefanp@jabber.de.cw.net SMP@IRC

Stefan Paletta
17/02/05, 23:45
Thor (Hammer of God) wrote/schrieb/scripsit:
>When I got my NIC handle untold years ago, only 561 other humans had one.
>Your logic would preclude getting one in the first place, since no one knew
>they existed at the time. When SSL certs were first being created
>commercially, how many server operators did you know that had one? How
>many do you know now? It's the same thing with client certs, and the logic
>stands that certificate applications apply to them as well; particularly in
>regard to the business and marketing models various certificate authorities
>are running their business by. That was the point.

Just like a NIC handle, a client certificate has no intrinsic value.
People get a NIC handle to use it in a specific process. Just like NIC
handles don't (anymore) work cross-registry, people will have to get
specific certificates to use in specific processes. It is only then
that certificates, being a complex technology, actually work when they
are dumbed down and sealed off sufficiently.
Server certificates are a slightly different thing, as their number is a
few magnitudes lower than the number of client certificates. It is only
economically viable to distribute knowledge if the number of ignorant
people is low enough.

-Stefan
--
junior guru SP666-RIPE JID:stefanp@jabber.de.cw.net SMP@IRC

Nick FitzGerald
18/02/05, 00:05
David Schwartz wrote:

> > My proposition is that the argument that they (and their associated webs
> > of trust) are inherently trustworthy because of external pressures is a
> > flawed assumption because they do not have the proposed level of
> > pressure applied to them since most of the people affected by their web
> > of trust don't understand it.
>
> They don't have to. I don't understand how my supermarket gets their meat,
> but I trust them to use safe sources because I know that if they didn't
> those who do understand would tell me, and then I'd figure out a way to
> avoid it.

That is not why you trust your supermarket to source good/safe meat at
all.

You trust your supermarket to source good/safe meat because you live
somewhere that has strongly enforced regulations, with very stiff
financial penalties, covering the slaughtering of animals, preparation
of their carcasses into meat products, and every step of the storage,
shipping, handling, display and sale of such products.

And, in fact, very similar reasons are why you trust so many other
conveniences that comprise "the modern Western way of life".

Further, these systems are so ingrained and work so well, most people
(such as yourself?) have forgotten that the checks and balances even
exist, taking for granted "safe meat from the supermarket" and so on.

The previous poster, to whom you responded is essentially correct. The
difference between CAs and the webs of trust surrounding them and the
whole CA/certification process do not have the checks and balances
governing them that they are assumed to have. This is equally true of
most other trust issues with computers, such as the most basic ones as
the assumption on the part of consumers that the OS and standard
applications for the typical tasks to which computers will be put are
designed to competently and safely perform those tasks while protecting
the users from what should, to the technically competent and informed
folk it is assumed design, write and test such software, be "obvious
dangers".

> No CA wants to find out what market forces will appear as soon as they
> prove to be untrustworthy. There are already many vehicles for immediately
> deploying blacklists. For example, Symantec could release an update for any
> of their security products that removed a root CA. It wouldn't take more
> than a small percent of web users to have a problem with a CA before people
> wouldn't want their certificates to be signed by that CA.
>
> The CA market is competitive.

So, why is VeriSign still in the CA business? Or should releasing two
code-signing certificates in Microsoft's name to non-MS related folk
not be considered untrustworthy enough to utterly destroy any rational
person's or organization's trust in a CA?


Regards,

Nick FitzGerald

bkfsec
18/02/05, 01:45
David Schwartz wrote:

>>Wow. You just conceded that there is significant pressure on major
>>vendors to not counter the CA, and then claimed that some ethereal other
>>would magically be able to enforce it where Symantec couldn't.
>>
>>
>
> What?! I did nothing of the sort. My "then" follows his "if". It does not
>concede that his "if" is true, in fact I think it's preposterous.
>
>
Refusing to address a point in an argument and responding with "then
someone else would have" is, by definition, conceding the point.

It's not a preposterous point. Why should Symantec use their AV product
to police the CA market? How about their other products? It would only
happen when it benefits them to do so, and that will only happen if the
CAs completely fail to do their duties.

>
>
>>Market demand sometimes does create solutions, however to claim that it
>>does without fail is a bit naive.
>>
>>
>
> Didn't say that.
>
>
Yes, you did say that. Look back in the thread. You were saying "The
market will provide a solution". I said that that was naive. Your
retort was "didn't say that".

Are you conceding more points or just ignoring your own arguments?

>>So, if not Symantec, then who else do you propose would?
>>
>>
>
> Lavasoft, Computer Associates, Bazooka, Webroot, Zone Labs, and pretty much
>every other computer security vendor.
>
>
The same pressures that affected Symantec would affect them.



>>History disagrees with you. So do a number of economists.
>>
>>
>
> First of all, the unusual circumstances have occured in distorted markets.
>
>
All markets have the potential to be distorted. And any sober review of
any market will find most of these practices in place to one degree or
another.

>Second, it took awhile for people to learn that these strategies almost
>never work and to figure out precisely under what circumstances they do
>work.
>
>
Sure, they didn't know the best way to cheat people at first. All
solutions are better managed after trial and error. The problem with
your argument is that there is corruption in the markets, or are you
arguing that corruption is dead and all markets fix themselves? That
would seem a bit assinine to me. I guess you'll just respond with "I
never said that markets correct themselves..." :)


>>It would harm them, yes, but they very well can get away with it.
>>
>>
>
> Right, until it harms the users.
>
>
Correction: until it materially harms the user enough to address the
issue. All decisions have a cost/benefit basis to them.

>
>>It's interesting how you cite market dynamics in your arguments, but
>>disregard them when they aren't favorable to your point.
>>
>>
>
> How so?
>
>
Because you're neglecting to consider important factors in the markets
that are affected by this particular bug and, in fact, all CA root cert
revocations on the part of browser producers and when I bring them up,
you ignore them. Ignoring them makes it appear that you're being
selective in your positions.

>
> Or people set up that CA to a lower level of trust where they know the
>certificate has come from a CA they don't fully trust. Or maybe they
>download a list of certificates manually from that CA and don't trust
>unknown CAs without querying them with a third party. Or maybe, ...
>
> You can't predict how the market will work.
>
>
Of course not - I can only speculate based on factors at work at the
time. The same goes for yourself.



>
> There is a market in keeping users ignorant. So long as things "just work"
>users can stay ignorant, and I assure you, if CAs create a situation that
>doesn't "just work", someone else will work hard to come up with a solution
>to keep things that way.
>
>
Whoa whoa whoa. We're not talking about CAs creating a situation where
things don't "just work". Not in the least.

We're talking about the current IDN "bug" and the CAs dealing with
that. Someone else already answered that point by (correctly) stating
that it is not the responsibility of the CAs to protect people from
things like that.

My point is that even if it were their responsibility, you can't just
explicitely trust them to do so. Their accountability in dealing with
it is limited because as long as they are providing their service, they
won't be harmed.

If that situation became the norm, obviously - over time - that CA would
be obsoleted.

However, in the current context we're not talking about the CA system
failing.


>
>
>>There are millions of people out there who don't trust the MPAA or the
>>RIAA, for that matter. Not having the trust of the people hasn't
>>stopped them. Again, you've chosen a very poor example.
>>
>>
>
> No, the issue (with the MPAA, I'm not sure how the RIAA got into this) is
>not that people trust or don't trust them, the issue is that all they have
>to sell is their trust. For the vast majority of people, trusting the MPAA
>has never caused them a problem. So the alternatives to the MPAA only target
>very specialized markets.
>
>
The average person doesn't have a choice. The MPAA is, effectively, a
trust and a control for the movie industry. Looking through my own
movie collection, I don't have many movies that aren't associated with
the MPAA and I think I'd be hardpressed to find more than five.

The average person doesn't have a trust relationship with the MPAA.
It's more of a dictatorial relationship. People buy or go watch movies
and, if the product is defective, they return it. There's not much of a
trust relationship there to speak of.

Hell, most people don't even trust the MPAA to properly rate movies.



>
>
>>The market does not inherently protect people. Anyone who believes that
>>is reality impaired and doesn't have a very good understanding of
>>history nor economics.
>>
>>
>
> That's not what I'm saying. I'm saying CAs have a huge interest in making
>sure their customers don't get harmed by their actions.
>
>
>
Yes, they have an interest in providing their services in the way that
is economically feasible to achieve their best goals. Obviously, they
don't want to see their customers harmed by their actions. However,
it's a leap of faith to go from that to "they will provide the best
service ever possible".

-Barry

Ron DuFresne
18/02/05, 02:05
On Wed, 16 Feb 2005, Gwendolynn ferch Elydyr wrote:

> On Wed, 16 Feb 2005, bkfsec wrote:
> > The local BBB is accountable to local laws. CAs are spread throughout the
> > world and are global in nature. As a member of a local community, I can
> > choose to familiarize myself with those regulations, understand them, and use
> > them against the BBB if they violate their trust. I can also choose to go on
> > a crusade against the local BBB.
> >
> > I think that deep down we're agreeing on the point that they're inherently
> > untrustworthy. My point in saying "if you take my meaning" was to hi-light
> > that rather than focus on this relatively minor nitpicking of point. I'm not
> > the first one in this thread to bring up the BBB. So take your point up with
> > the person who did bring it up, please.
>
> Actually I'm just trying to be explicitly clear about the path that
> you're using for trust. The BBB just happens to be the example that
> you'd used as an organization that you'd trust more than your average CA.
>
> As I'm reading you, you're saying that you:
>
> (1) trust establishments that you can see and touch more
> than you trust establishments that you can't see or touch.
>
> (2) trust establishments that are bound by a legal system that
> you're familiar with more than establishments that are bound
> by a legal system that you aren't familiar with.
>
> IMHO the question is more about what your particular grounds for trust
> happen to be than whether CAs are all/partially/not trustworthy - or
> if the BBB in your area happens to be trustworthy.
>
> Personally I'd really debate the concept that physical proximity is
> in any respect grounds for trust - and that familiarity implies the same.
>
> I'd be far more inclined to suggest using consistent long term behaviour
> as a predictor - and implementing a system where significant incentives
> towards desired behaviour exist.
>

But do not "physical proximity" and "familiarity" not also imply that a
lengthy relationship is probable which would enable behavioural
observations of said length to determine it's consistency? Somewhat like
the concept that a person gets better service from a smaller mom&pop shop
then they do in a superstore?


Thanks,

Ron DuFresne
--
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

bkfsec
18/02/05, 03:25
David Schwartz wrote:

>
> Then somebody else would. Market demand creates solutions. I can't see how
>the legal issues are any different from the ones they face when they label
>software as adware or spyware.
>
>
>
Wow. You just conceded that there is significant pressure on major
vendors to not counter the CA, and then claimed that some ethereal other
would magically be able to enforce it where Symantec couldn't.

Market demand sometimes does create solutions, however to claim that it
does without fail is a bit naive.

So, if not Symantec, then who else do you propose would?

>
>
>>t's also like saying that corporations never form trusts and price fix
>>for fear of the consumer.
>>
>>
>
> No, they never do so because such strategies only work in very unusual
>circumstances. Nobody can make a person pay more for something than it is
>worth.
>
>
History disagrees with you. So do a number of economists.


>
> I'm not assuming anything, I'm making an argument why it would be
>self-destructive for any CA to adopt such a strategy. That doesn't mean they
>won't do it, people certainly do stupid things when they think they can get
>away with it. But the fact is, CAs can't get away with it. So if they think
>they can, they will quickly be proven wrong.
>
>
It would harm them, yes, but they very well can get away with it.


>
>
>>Also, the fact that the CA market is competitive only further muddies
>>the waters. Not all CAs are in the same country and their competition
>>forces them to be price-competitive. This reduces the priority of being
>>responsible. Or, to use your meat analogy, mass-produced meat tends to
>>be of a lower quality than individually produced meat products,
>>particularly in unregulated countries.
>>
>>
>
> I could not disagree more. All a CA has to sell is its trust. The trust is
>its product. CAs sell trust, they are in the trust business. If a CA loses
>the trust of browser vendors, it has nothing to sell. If a CA loses the
>trust of users, pressure will be put on browser vendors.
>
>
It's interesting how you cite market dynamics in your arguments, but
disregard them when they aren't favorable to your point.

If hundreds of thousands of sites use a particular CA as their root,
then removing the CA trust from the browser will cause an annoyance for
the browser consumer, resulting in 1 of 2 possible outcomes:

1) People learn to modify their configs and setup the CA as trusted.

2) People move to browsers that trust that CA by default.

The only way that a CA can lose the trust of the browser users is if the
browser users understand how the CAs work and understand how to put
pressure on the browser market to achieve that end result.

Again, we get back to the fact that most end users (browser market
customers) can barely turn on their PCs, nevermind understand or care
about CA trust relationships. You have to put yourself into that
position and think like they do before you should ever propose a
pie-in-the-sky market solution to something like this.

>
>
>>People who think that the market will inherently protect them have been
>>reading too much Ayn Rand and need to step away from the
>>fiction-proposed-as-fact isle. No offense meant by that - it's said
>>tongue-in-cheek. :)
>>
>>
>
> Except that it does. Especially when all a company has to sell is its
>trust. This is true in many markets where companies have specifically set up
>to sell trust. You don't see people bribing the MPAA or Consumer Reports.
>Because such things could not possibly be hidden, and there's an immediate
>market remedy (stop trusting).
>
>
>
>
There are millions of people out there who don't trust the MPAA or the
RIAA, for that matter. Not having the trust of the people hasn't
stopped them. Again, you've chosen a very poor example.

The market does not inherently protect people. Anyone who believes that
is reality impaired and doesn't have a very good understanding of
history nor economics.

-Barry

bkfsec
18/02/05, 03:45
Thor (Hammer of God) wrote:

>
> Hmmm... I'm confused now... You just said in your last post that
> average users don't want, need, or know how certificates work, and how
> your previous (and specious) point stood because of that fact. Yet
> here, you state that enough of a backlash from these users exists to
> keep a global entity like Symantec from taking action should they
> revoke a trusted CA from a users' certificate store even though the
> user (according to you) didn't know they trusted in the first place.
> Explain that.

Simple. If a major CA root is revoked, a large number of major sites
will all start displaying browser warnings which will be an annoyance to
the user, causing at least a decent percentage of them to question why
they are getting a constantly recurring pop-up whenever they go to a
large number of sites.

Users are only interested (and not always so, but often) in things that
pop up in front of their faces and annoy them.

The user wasn't aware of the CA before (since a root CA being
automatically accepted by a browser will result in no warning message
for the user on sites that use certs supplied by the CA) but are aware
that something is up (and annoying) after (if) they update their browser.

So, no - it's neither specious nor is it confusing. It just requires
some common sense and actual exposure to the user population. Something
which some people here seem to be lacking.

>
>> Comparing CA accountability to meat sales isn't a valid analogy.
>> Obviously, the CAs don't want to be regulated, but trusting them
>> because of this is a bit like saying that business owners would never
>> short-pay an employee because of fear of what the employees would do.
>
>
> David was not comparing accountability to sales. He compared trust to
> trust. Pretty simple stuff.

David is the one who used the term sales - bring it up with him. Yeah,
pretty simple stuff - which is why I disagreed with it.



>
>
>> Also, the fact that the CA market is competitive only further muddies
>> the waters. Not all CAs are in the same country and their
>> competition forces them to be price-competitive. This reduces the
>> priority of being responsible. Or, to use your meat analogy,
>> mass-produced meat tends to be of a lower quality than individually
>> produced meat products, particularly in unregulated countries.
>
>
> I acquiesce. I failed to take into account the multi-national
> not-for-profit CA's out there making a killing by scooping up the free
> end-user business that you claim does not exist in the first place.

Who said anything about not-for-profit?

>
>> People who think that the market will inherently protect them have
>> been reading too much Ayn Rand and need to step away from the
>> fiction-proposed-as-fact isle. No offense meant by that - it's said
>> tongue-in-cheek. :)
>
>
> No Barry, we just understand that the market corrects itself in these
> matters. That's how the market works. Once upon a time, there was no
> such thing as a certificate. Now it is a billion dollar biz. It has
> nothing to do with the BBB or who you think is the average user. I
> deploy and maintain an extensive PKI infrastructure for my company as
> I do for many of my clients. I'm happy to engage in further dialog
> regarding this subject so that I may have the opportunity to learn
> something, but before I do so, I'd like to get a glimpse into the vast
> PKI infrastructure you maintain so that I may prioritize your input.
> Please describe your Cert/PKI infrastructure so that we may all
> benefit from your knowledge.
>
Suffice it to say that I'm involved in maintaining one for a very large
corportation.

Frankly, I could care less how you prioritize what I say. You clearly
have your own opinions on the matter, I personally feel that they don't
take into account factors that are important.

You talk about browsers revoking trust in CAs as if it has no impact on
the end user.

You talk as if it's a simple proposition for Microsoft or any other
browser manufacturer to revoke a CA trust.

I'm saying that it's not, and that the browsers have to consider the
affects on their customers. I'm also saying that corporations, in this
case, don't always make the secure decision, but rather the decision
that gives the user the greatest amount of likelihood of using their
product.

If you disagree with this concept, I say that you're wrong.

It is a simple concept, yet you are continuing to disagree with it.

I'm sorry if you don't feel like you can learn anything from me, but I'm
not here to teach you. I'm simply saying that you are not taking all of
the factors into account. Feel free to disagree with that, but you'd
still be wrong.

The CA and browser markets do not exist in a vacuum.

-Barry

bkfsec
18/02/05, 04:35
David Schwartz wrote:

>
> This is no different than the case of Burger King buying inferior beef.
>While it's true the beef vendor only has to convince Burger King to buy the
>beef, not Burger King's customers, there wouldn't be any customers as soon
>as they found out that Burger King was reselling food made from inferior
>beef.
>
> This is just like any other indirect relationship. Buyers never want poor
>quality raw materials because they result in poor quality finished goods.
>
>
>
>

Ironically, you're talking about fast food companies buying "high
quality" materials. Fast food companies are notorious for buying
low-quality materials in order to keep prices low and, frankly, if they
lowered the quality of their beef, no one would notice.

Talk about picking a bad analogy.

-Barry

bkfsec
18/02/05, 04:55
David Schwartz wrote:

>
> I disagree with this entirely. First of all, there is no incentive to buy
>low-quality materials. It's obviously nonsensical. What they do try to do is
>buy the highest quality materials they can for the cost they're willing to
>spend. If they could lower the quality and no one would notice, why don't
>they?
>
>
Because they really couldn't get any lower in the quality chain without
seriously impacting their customers in an obvious fashion.

The concept you're referring to is quality versus grade. Burger King
wants the highest quality in the lowest grade possible.

The distinction you're making here is problematic, because you're taking
a general statement and quantifying it to market it's in. The problem
with this is that Low-quality, medium grade meat would still be of a
higher relative quality than high-quality, low grade meat.

The key here is the point "for the cost they're willing to spend" which
is the real factor which dictates what the actual product being sold
is. The low cost of burgers dictates that they can't purchase truly
high-quality meats

Take the Angus Steakburger for instance. I love that burger - don't get
me wrong, I'm not a fast food bigot. However, is the Angus Steakburger
made with the same quality of meat that a gourmet steakhouse would use?
Obviously not.

It's probably the best of brand in the grade that it's in, but the fact
of the matter is that even if it's high-quality low grade steak, it's
still very low quality in reality.

In other words: the distinction is irrelivent because, to the consumer
and in reality, the meat is of a lower overall quality than meat they
would buy elsewhere.


>
>
>>Talk about picking a bad analogy.
>>
>>
>
> Actually, it's really good, just not a good one to pick because most people
>have serious prejudices about the food market, just as they do about the
>medical market. Fast food restaurants provide an excellent product at a very
>low price. Yes, it's not the best possible product, but nobody could produce
>that at the same price point.
>
>
>
Of course not. It's pure economics, and that's why your analogy is wrong.

-Barry

Rainer Duffner
19/02/05, 03:55
Vincent Archer wrote:

>On Wed, Feb 16, 2005 at 04:34:27PM -0800, David Schwartz wrote:
>
>
>> I'm not assuming anything, I'm making an argument why it would be
>>self-destructive for any CA to adopt such a strategy. That doesn't mean they
>>won't do it, people certainly do stupid things when they think they can get
>>away with it. But the fact is, CAs can't get away with it. So if they think
>>they can, they will quickly be proven wrong.
>>
>>
>
>Quickly? When Verisign issued in 2001 a certificate for "Microsoft" to
>somebody who simply said he was a Microsoft employee, and they didn't
>do any check about the identity of the person, what happened?
>
>Nothing. Except issuing a couple of "oops" certificate revocations.
>
>I can't even find a public announce by Verisign stating they would take
>actions to correct their own validation procedures and avoid repetition
>of the incorrect (and for a public CA, inexcusable) behaviour. Everybody
>here hopes they fixed their procedures... but no one even knows.
>
>
>

I, too, would be interested in some kind of "lessons learned"-document,
describing why this could happen at all - and how Verisign wanted to
avoid it in the future.

It's really a pitty that the root-CAs in browsers haven't been subject
to more public scrutiny - now and back then.




cheers,
Rainer

--
================================================== =
~ Rainer Duffner - rainer@ultra-secure.de ~
~ Freising - Munich - Germany ~
~ Unix - Linux - BSD - OpenSource - Security ~
~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~
================================================== =