[15730] in cryptography@c2.net mail archive
Re: Using crypto against Phishing, Spoofing and Spamming...
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sat Jul 10 18:41:00 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Amir Herzberg <herzbea@macs.biu.ac.il>
Cc: Amir Herzberg <amir@herzberg.name>, cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 10 Jul 2004 18:07:52 +0200
In-Reply-To: <40EC3C8D.4080502@cs.biu.ac.il> (Amir Herzberg's message of
 "Wed, 07 Jul 2004 20:10:21 +0200")
* Amir Herzberg:
> Florian Weimer wrote:
>
>> * Amir Herzberg:
>>
>>># Protecting (even) Na=EFve Web Users, or: Preventing Spoofing and
>>>Establishing Credentials of Web Sites, at
>>>http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%=
20area.PDF
>> The trusted credentials area is an interesting concept.
> Thanks.
>   However,
>> experience suggests that given the current business models, we cannot
>> build the required logotype registry.  All registries which are used
>> on the Internet (for IP address assignments, BGP prefixes, DNS names,
>> and even X.509 certificates) are known to fail under stress.
>
> I'm not sure what you mean by `logotype registry`.
A body which registers visual elements etc. and assigns them to an
owner.
> Such a registry already exist (off-web), i.e. national trademark
> offices, e.g. www.uspto.gov.
There are simply too many of them, and not all of them implement
checks for conflicts.  I'm pretty sure I could legally register
"Metzdowd" in Germany for say, restaurant service.
> These bodies could issue logo certificates.
These certificates would only have value if there is extensive
verification.  We probably lack the technology to do that cheaply
right now, and the necessary level of international cooperation.
> Or, private companies, e.g. verisign, can issue logo certificates,
> based on the official trademark registers; that shouldn't be hard.
But it is, it all boils down to who does the verification, and who
pays for it.  Identifying someone is not that hard, of course, but how
do you know if he or she is authorized to use a resource (be it a
trademark or an IP subnet)?
> As to a registry to hold these certificates - the site (e.g. bank)
> would probably keep it... and many other places (this is signed
> i.e. not risky to keep).
You still have to handle revocation.  Mistakes will happen. 8-/
> Finally, of course, until such certificates are available, we simply
> use the manual binding of logos/icons/names to public keys, on the
> first time you enter a secure site using a browser with our
> enchancement. It works great... very convenient, and very clear (see
> screen shots in paper).
Ah, I missed that part.  This could be rather helpful if users are
able to understand the concept.  Have you run any usability tests?
BTW, you can emulate it by removing all root CAs from your browser,
and just relying on previously stored certificates.  Works rather
well, although some people who have different threat models sneer at
it.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com