[18325] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (james hughes)
Mon Aug 29 11:02:10 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <43121149.1664.185A649E@localhost>
Cc: james hughes <hughejp@mac.com>,
"James A. Donald" <jamesd@echeque.com>
From: james hughes <hughejp@mac.com>
Date: Mon, 29 Aug 2005 10:49:21 -0400
To: Cryptography <cryptography@metzdowd.com>
In listening to this thread hearing all the hyperbole on both sides, =20
I would suggest that we may need more fuel to the fire.
There was a rump presentation at the recent Crypto on the use of =20
"Ceremonies" (which, pardon my misstatement in advance, is claimed to =20=
be computer protocols with the humans included). The presentation =20
states, "Design a great protocol, prove it secure; add a user, it=92s =20=
insecure". This specifically discusses SSL.
The entire rump session is at
http://www.iacr.org/conferences/crypto2005/rumpSchedule.html
scroll down to
Ceremonies by Carl Ellison
The presentation and video
http://www.iacr.org/conferences/crypto2005/r/48.ppt
http://www.iacr.org/conferences/crypto2005/r/48.mov
The video is about 50MB.
Thanks
jim
On Aug 28, 2005, at 10:32 PM, James A. Donald wrote:
> --
> From: Dave Howe <DaveHowe@gmx.co.uk>
>
>> 2) Google got into the CA business; namely, all
>> GoogleMail owners suddenly found they could send and
>> receive S/Mime messages from their googlemail
>> accounts, using a certificate that "just appeared" and
>> was signed by the GoogleMail master cert. Given the
>> GoogleMail user base, this could make GoogleMail a
>> defacto CA in days.
>>
>> 3) This certificate was downloaded to your GoogleTalk
>> client on login, and NEVER cached locally
>>
>> Ok, from a Security Professional's POV this would be a
>> horror - certificates all generated by the CA (with no
>> guarantees they aren't available to third parties) but
>> it *would* bootstrap X509 into common usage,
>>
>
> That horse is dead. It is not going into common usage.
>
> SSL works in practice, X509 with CA certs does not work
> in practice. People have been bullied into using it by
> their browsers, but it does not give the protection
> intended, because people do what is necessary to avoid
> being nagged by browsers, not what is necessary to be
> secure.
>
> --digsig
> James A. Donald
> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
> mQ0rM7wYdVTuoeMRUcrpDc1V9pUqhEgUmJMtyCZZ
> 469u1yKDDCKWaUWwU/LYyE/7CVNRZV7OjXCs+Kyyc
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to =20
> majordomo@metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
