To:
<sommerfeld@orchard.arlington.ma.us>
Cc:
"Keith Moore" <moore@cs.utk.edu>, "Edward Lewis" <lewis@tislabs.com>, <keydist@cafax.se>
From:
"Mike Petkevich" <michael_petkevich@bmc.com>
Date:
Tue, 26 Mar 2002 00:38:33 -0800
Sender:
owner-keydist@cafax.se
Subject:
Re: My take on the BoF session
>>Complex, hard-to-use security systems are either (a) not deployed, or >>(b) misconfigured or (c) have bugs due to the complexity. >>Any of these result in reduced security relative to a less-complex, >>deployable alternative. Agreed, but that where our jobs are. Notice how simple it is to use https:/amazon.com or like. The merchant does not care who you are, you may be intersted in his identity only. You can be asked to accept a trusted root on a way :( There is no one-size-fits-all security model, but a few well known models: anonymous/privacy, server authentication, mutual client/server authentication. When explained, people make a choice consistent with their requirements, DoD and serious banks go with mutual auth and agree to follow guidelines. There may be people who would be happy to use anonymous DH only for privacy, provided that MIM is ruled out. Thus the tradeoff can be defined. The nature of a problem has to do with the low entropy of a secure environment vs outside chaos. It just not possible to maintain secure environment for free, user has to keep a block of ice. Regards, Mike. ----- Original Message ----- From: "Bill Sommerfeld" <sommerfeld@orchard.arlington.ma.us> To: "Mike Petkevich" <michael_petkevich@bmc.com> Cc: "Keith Moore" <moore@cs.utk.edu>; "Edward Lewis" <lewis@tislabs.com>; <keydist@cafax.se> Sent: Monday, March 25, 2002 9:03 PM Subject: Re: My take on the BoF session > > browsers are shipped with trusted CA roots hardcoded. > > now if there was ever a system with a poor trust model, this is it. > > > So it becomes a risk management problem. As a system designer I do > > not want to make such decisions for a user. > > Indeed. and those who reject systems which wish to bootstrap off > secured dns out of hand are not letting the user make this informed > decision. > > > Rather, I would like to give user a notice that more usability will > > bring more vulnerability and less security. > > Well, this tradeoff is inexact at best. > > Complex, hard-to-use security systems are either (a) not deployed, or > (b) misconfigured or (c) have bugs due to the complexity. > > Any of these result in reduced security relative to a less-complex, > deployable alternative. > > - Bill