To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 04 Jan 2002 15:21:16 -0500
Delivery-Date:
Fri Jan 4 21:23:04 2002
In-reply-to:
Your message of "04 Jan 2002 10:48:32 EST." <1010159312.12260.0.camel@error-messages.mit.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Greg" == Greg Hudson <ghudson@MIT.EDU> writes: Greg> I see statements like this from some subset of security people all the Greg> time, and I can't help but find them hopelessly naive (or at the least, Greg> not interested in solving the same problem I am). This kind of attitude Greg> leads to security systems like PGP: very useful for those of us who want Greg> to actually devote time to worrying about trust, but with essentially Greg> zero chance of developing widespread use. Greg> The position is attractive to a certain mindset. It goes something like Greg> this: security is about trust, so we (developers of software and Greg> protocols) must go to some effort to find out who the user trusts before Greg> we should trust anybody. Since trust is a personal thing, everybody Greg> should have their own preferences. No single entity should have a Greg> distinguished position which they could abuse. ... Greg> The solution, then, is not to ask each user, "who do you trust?" but to Greg> create one or more high-profile organizations with accountability, who Greg> we expect pretty much everyone to trust. No one should force you to Greg> believe them, of course, just like no one forces you to go believe in Greg> ICANN's DNS information; but, as with DNS, you probably wouldn't find Greg> the Internet very useful if you don't. These positions are not contradictory. We (as developers of software and protocols) must make it possible for end users to decide who to trust. We (as citizens for the world) must work to create this high profile trusted organization which people who want to can trust. Greg> * You can't get a certificate from a well-recognized authority without Greg> spending too much money and (as I understand it) putting yourself at Greg> significant risk. Greg> * As I understand it, the combination of standards and policies Greg> currently in place do not allow an organization to get a single Greg> certificate (say, for mit.edu) from a well-recognized authority which in Greg> turn can be used to sign certificates for users (e.g. an email You used to to be able to get these types of things from some of the CAs, but I think a combination of politics, financial concerns and software screwed that up. Politics: who from mit.edu is authorized to do this? Finance: oops, there goes a significant chunk of money from MIT certs we were going to sell, so CA-org has to charge an ammount that now definitely requires some thought from finance.mit.edu about whether this is useful. Software: I think that many browser based SSL crap and other commerical libraries had too many bugs in the cert chain walking portions. Greg> * Pursuant to the last point, certificates take too long to expire, Greg> because certificates are essentially an off-line system and we assume Greg> that certificate renewal is cumbersome. Revocation would help, but the Greg> revocation features I know about in X.509 don't seem very scalable and Greg> aren't generally used. Since DNS is an on-line system, signatures can Greg> expire more quickly and domain turnovers can be more quickly reflected Greg> in the security system. Agreed. I'd rather get rid of CRLs and just resign things more often. This works for everyone but .com, and Verisign can solve that problem with other means for awhile. (My only operational problem that I have with DNSSEC right now is that I don't think that I have software that is smart enough to resign my zone based upon propogation delays and caching. I do it manually right now. Resigning every night in cron seems too much to me) ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPDYOt4qHRg3pndX9AQFn8QQAjnvNGgWzRZVhYqw4gLmHKFR9cpyy1oxi auNR20ZEUvzWTrJT0rynmY7nHTtEeaUWTPQB+T4Zs03CAnFVNUyDzmLXJqGjh4UQ CuYomCO6AAWEqYjLSUfThPEjsVqKXmsE/c0AHEa1svvVYkw4RicBGa6edPx03W1j eCL6Zkw/HAA= =ztpM -----END PGP SIGNATURE-----