Another entry in the internet security hall of shame....
james hughes
hughejp at mac.com
Mon Aug 29 10:49:21 EDT 2005
In listening to this thread hearing all the hyperbole on both sides,
I would suggest that we may need more fuel to the fire.
There was a rump presentation at the recent Crypto on the use of
"Ceremonies" (which, pardon my misstatement in advance, is claimed to
be computer protocols with the humans included). The presentation
states, "Design a great protocol, prove it secure; add a user, it’s
insecure". This specifically discusses SSL.
The entire rump session is at
http://www.iacr.org/conferences/crypto2005/rumpSchedule.html
scroll down to
Ceremonies by Carl Ellison
The presentation and video
http://www.iacr.org/conferences/crypto2005/r/48.ppt
http://www.iacr.org/conferences/crypto2005/r/48.mov
The video is about 50MB.
Thanks
jim
On Aug 28, 2005, at 10:32 PM, James A. Donald wrote:
> --
> From: Dave Howe <DaveHowe at gmx.co.uk>
>
>> 2) Google got into the CA business; namely, all
>> GoogleMail owners suddenly found they could send and
>> receive S/Mime messages from their googlemail
>> accounts, using a certificate that "just appeared" and
>> was signed by the GoogleMail master cert. Given the
>> GoogleMail user base, this could make GoogleMail a
>> defacto CA in days.
>>
>> 3) This certificate was downloaded to your GoogleTalk
>> client on login, and NEVER cached locally
>>
>> Ok, from a Security Professional's POV this would be a
>> horror - certificates all generated by the CA (with no
>> guarantees they aren't available to third parties) but
>> it *would* bootstrap X509 into common usage,
>>
>
> That horse is dead. It is not going into common usage.
>
> SSL works in practice, X509 with CA certs does not work
> in practice. People have been bullied into using it by
> their browsers, but it does not give the protection
> intended, because people do what is necessary to avoid
> being nagged by browsers, not what is necessary to be
> secure.
>
> --digsig
> James A. Donald
> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
> mQ0rM7wYdVTuoeMRUcrpDc1V9pUqhEgUmJMtyCZZ
> 469u1yKDDCKWaUWwU/LYyE/7CVNRZV7OjXCs+Kyyc
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list