[17098] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: $90 for high assurance _versus_ $349 for low assurance

daemon@ATHENA.MIT.EDU (John Levine)
Sun Mar 20 12:11:37 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: 16 Mar 2005 23:17:59 -0000
From: John Levine <johnl@iecc.com>
To: cryptography@metzdowd.com
In-Reply-To: <423807E7.8040309@cs.biu.ac.il>
Cc: herzbea@macs.biu.ac.il

>John, thanks for this fascinating report!

>Conclusion? `Not all CAs/certs are created equal`... therefore we
>should NOT automatically trust the contents of every certificate
>whose CA appears in the `root CA` list of the browser.

Although some certs make more intrusive checks, it all strikes me as
security theater.  In particular, although some of them make some
effort to verify that I am who I say I am, I don't see any of them
making any effort to verify that my web sites are what they say they
are.  It would be an interesting experiement to register, say,
PAYPAL-VERIFICATION.COM (which is available) with my own info in
WHOIS, then apply for a cert from Verisign saying that it's me, and
see if they ask if I'm Paypal.  My guess is that they wouldn't.

Treating CAs differently would be a fine idea if there were a real
difference, but $300 or $1000 still isn't anywhere close to what it
would cost to do a meaningful investigation of someone's identity.

I've been proposing for a while that we try industry-specific branded
certs.  The branding would put a logo in the signing cert (there's
already a field for it) and adjust browsers to display the signing
cert's logo in a place where users can't put anything else, e.g., the
corner that usually displays the IE "e" or Firefox bat.  Industry
specific means that the certs would be issued by a regulator or
industry association who already knows who the legitimate entities
are, such as the FDIC for banks in the US, so there's no extra step of
introducing the certified parties to the certifier.

The point of branding the signer is that you then have a single brand
that you want to tell people to look for, e.g. "Would you bank at an
office without the FDIC logo in the window?  Look for the same logo
on your bank's web site."

There remain some issues, notably how you keep fake signing certs out
of computers of people who will click the OK box in a window that says
"Harvest all your account numbers and steal all your money?"  But it
seems to me a reasonable approach to more credible online identity for
often-faked targets.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post