<div dir="ltr"><div><div>On 4/28/15 at 6:42 AM, iang at <a href="http://iang.org">iang.org</a> (ianG) wrote:<br><br><br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Indeed. But take the well-known case of SSL. The industry bends over<br>
backwards to state that authentication of the server is the key benefit.<br>
Yet, they fail to authenticate the server in phishing - a simple<br>
bypass attack. And for most webservers, they couldn't care less about<br>
their own authentication, what they care about is the client<br>
authentication. SSL completely muffs client authentication, leaving the<br>
users to come up with ad hoc password stuff.<br>
<br>
(Yeah, now poeple will chime in and repeat the marketing about how it's<br>
hard because of multiple devices and and and ... the point is, every<br>
which way you look at the SSL story, it isn't about what the users need,<br>
it's about what was easy to convince to be sold.)</blockquote><br></div>Yeah, it would be nice if affidavits and background checks were used to authenticate people applying for certificates.<br><div><br><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">If you want security solutions to be widely deployed, nothing <br>beats having a revenue model for someone. With a revenue model, <br>you have a champion who will work hard to sell the solution to <br>the world. Without a revenue model, you just have a bunch of <br>geeks with a good idea. We have TLS with CAs because there is a <br>revenue model, not because it is the best solution.<br><br>Cheers - Bill<br></blockquote><div><br></div><div> If a standard is terrible, there can be three reasons:<br></div><div>1. Stupidity<br></div><div>2. Corruption<br></div><div>3. Greed<br><br></div><div>TLS with CAs could very well be any or all three. SSL did not standardize padding. Corruption to allow state actors to violate trust (our CA was accidentally hacked). You explained how greed could be a motive.<br></div></div></div>