WYTM?

Eric Rescorla ekr at rtfm.com
Mon Oct 13 19:12:10 EDT 2003 

Ian Grigg <iang at systemics.com> writes:
> > It's really a mistake to think of SSL as being designed
> > with an explicit threat model. That just wasn't how the
> > designers at Netscape thought, as far as I can tell.
> 
> 
> Well, that's the sort of confirmation I'm looking
> for.  From the documents and everything, it seems
> as though the threat model wasn't analysed, it was
> just picked out of a book somewhere.  Or, as you
> say, even that is too kind, they simply didn't
> think that way.
>
> But, this is a very important point.  It means that
> when we talk about secure browsing, it is wrong to
> defend it on the basis of the threat model.  There
> was no threat model.  What we have is an accident
> of the past.

Maybe so, but it coincides relatively well with the
common Internet threat model, so I think you can't
just dismiss that out of hand as if it were pulled
out of the air.


> > Incidentally, Ian, I'd like to propose a counterargument
> > to your argument. It's true that most web traffic
> > could be encrypted if we had a more opportunistic key
> > exchange system. But if there isn't any substantial
> > sniffing (i.e. the wire is secure) then who cares?
> 
> 
> Exactly.  Why do I care?  Why do you care?
> 
> It is mantra in the SSL community and in the
> browsing world that we do care.  That's why
> the software is arranged in a a double lock-
> in, between the server and the browser, to
> force use of a CA cert.

You keep talking about the server locking you in, but it doesn't.
The world is full of people who run SSL servers with self-signed
certs.

And on the client side the user can, of course, click "ok" to the "do
you want to accept this cert" dialog. Really, Ian, I don't understand
what it is you want to do. Is all you're asking for to have that
dialog worded differently? It's not THAT different from what
SSH pops up.

-Ekr




-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list