Announcing httpsy://, a YURL scheme

Ian Grigg iang at systemics.com
Mon Jul 14 17:13:30 EDT 2003 

Ed Gerck wrote:
> 
> Ian Grigg wrote:
> 
> > Ed Gerck wrote:
> > > Not that I believe CAs are essential (I don't, for reasons already presented in '97),
> > > but unless the issues of spoofing, MITM and revocation are adequately handled
> > > according to a threat model that is useful, communication cannot be considered
> > > secure.
> >
> > Well.  I worry that your criticism rides on a circular
> > assumption.
> >
> > To unwind, it is a statement of definition that if the
> > threat model is not covered, then the communications
> > are insecure.  If the threat model *is* met, then the
> > communications are secure.
> >
> > So the question devolves to "what is the threat model?"
> 
> To unwind my phrase above, IMO the threat model should adequately handle the
> issues of spoofing, MITM and revocation in order to be useful. Otherwise,
> communication cannot be considered secure.

OK, so that's YOUR threat model.  It isn't mine,
and I'm guessing it isn't Tyler's (I can base
this on Tyler's new post, where he implies that
his threat model is "like PGP & SSH").

The issue then becomes, why is your threat model
more relevant than mine, or v.v.  That has not
been addressed in this thread, merely implied.

(I grant you, this is a really big issue, and
cannot be addressed in a simple thread.  But,
that doesn't make it any less valid!)

> As a counter-example, using an empty threat model does not qualify
> for "secure" even though any implementation would meet an empty threat
> model. Not including a recourse against probable attacks such as spoofing,
> MITM and key compromise (revocation) is IMO actually insecure.

Yeah, all that is doing is assuming that this
threat model is "the one!"  That has no basis,
although, I grant you that it is too commonly
done by by far, and is good enough to fool most
of the people most of the time.  (Including, to
be fair, by Tyler himself, as "like SSH & PGP"
is not a threat model.)

It makes no sense to talk about this threat model
or that one, if one assumes that all threat models
are the same.

We ask "what's your threat model" - WYTM - for a
reason:  because threat models differ.

To jump from the empty set to "must have spoofing/
MITM/compromise" to be a threat model is to say
that there is little merit in the concept of threat
models.  That is, in effect, attempting to capture
the meaning of independant and validated threat
models to push ones own view of what is the "one
big threat model."

E.g., that's marketing, not science (and nowhere
near engineering, which is where we should be
heading, IMHO!).

To take a hypothetical example:  a smart card has
a key inside it.  It's really hard to get the key
out.  Even if you get it out, you can't put it back
into a smart card without substantial difficulties,
because everyone looks at the cards before talking
to them.  So, we conclude, no-one can even make a
pretend card without spending more than it's worth.

Then, under those assumptions, why would you include
"compromise of the key" in your threat model?  Far
better to ignore that case, and wait until it happens.

(As I say, simply hypothetical.)

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list