[70090] in North American Network Operators' Group
THe Internet is Too Secure Already (was Re: Buying and selling root
daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Apr 28 23:20:17 2004
Date: Wed, 28 Apr 2004 23:19:48 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: nanog@merit.edu
In-Reply-To: <20040429010528.838BA7B46@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 28 Apr 2004, Steven M. Bellovin wrote:
> Matt Blaze said it well: "A commercial CA will protect you from anyone
> from whom they won't take money."
With current SSL implementations, you have to rely on all of the
commercial CAs not taking the money. Any match wins.
> verification that the spoof was detected. Is this good enough? What's
> your threat model...?
My threat model was simple :-) I wanted to reduce the messages in my logs
about certificate verification failures. I could load a few widely used
CA's or I could just turn certificate verification off (the default) and
the messages would stop.
Eric Rescorla gave a good talk at USENIX Security last year called
"The Internet is Too Secure Already"
http://www.rtfm.com/TooSecure-usenix.pdf
Part of his talk was the threat model mismatch on the Internet.
- Excessive concern with active attacks
- Taking cryptanalytic attacks too seriously
- Forgetting about other threats
