WYTM?
Eric Rescorla
ekr at rtfm.com
Mon Oct 13 19:12:10 EDT 2003
Ian Grigg <iang at systemics.com> writes:
> > It's really a mistake to think of SSL as being designed
> > with an explicit threat model. That just wasn't how the
> > designers at Netscape thought, as far as I can tell.
>
>
> Well, that's the sort of confirmation I'm looking
> for. From the documents and everything, it seems
> as though the threat model wasn't analysed, it was
> just picked out of a book somewhere. Or, as you
> say, even that is too kind, they simply didn't
> think that way.
>
> But, this is a very important point. It means that
> when we talk about secure browsing, it is wrong to
> defend it on the basis of the threat model. There
> was no threat model. What we have is an accident
> of the past.
Maybe so, but it coincides relatively well with the
common Internet threat model, so I think you can't
just dismiss that out of hand as if it were pulled
out of the air.
> > Incidentally, Ian, I'd like to propose a counterargument
> > to your argument. It's true that most web traffic
> > could be encrypted if we had a more opportunistic key
> > exchange system. But if there isn't any substantial
> > sniffing (i.e. the wire is secure) then who cares?
>
>
> Exactly. Why do I care? Why do you care?
>
> It is mantra in the SSL community and in the
> browsing world that we do care. That's why
> the software is arranged in a a double lock-
> in, between the server and the browser, to
> force use of a CA cert.
You keep talking about the server locking you in, but it doesn't.
The world is full of people who run SSL servers with self-signed
certs.
And on the client side the user can, of course, click "ok" to the "do
you want to accept this cert" dialog. Really, Ian, I don't understand
what it is you want to do. Is all you're asking for to have that
dialog worded differently? It's not THAT different from what
SSH pops up.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list