Is cryptography where security took the wrong branch?

Bill Stewart bill.stewart at pobox.com
Sun Sep 7 20:24:28 EDT 2003 

Ian Grigg wrote:
> Pretty much.  "Trust" in the certificate world means that
> a CA has authorised a web server to conduct crypto stuff.
and James Donald and Lynn Wheeler also brought up the issues
of who's certifying what, True Names, etc.

SSL certs are really addressing (I won't say "solving", exactly)
two different problems -
- Whether the communication session you're setting up with
	example.com is really set up with them and not a MITM
- Whether Example.com is slightly more likely to be run by Example Inc.,
	and not some impostor like Example-Nigeria Ltd
	or Bad Example Spa Resort, GMBH, both of whom
	happily accept all major credit cards.

DNSSEC (or something like it) takes care of the first problem,
without the intervening step of requiring True Names.
It doesn't help the second problem, and DNS doesn't either,
which is one reason that ICANN is so insistent on getting True Names
for whois records and forcing registrars to get them as well.

It's possible to get some uncertified human-readable information
about a domain name from its whois records.
It's possible to get more human-readable information from SSL certs,
and in some cases that information might be certified in a meaningful way,
but in other cases it's not, and browsers aren't typically very good at
telling you that information unless you try hard to get it,
and when they do nag users about it, users usually ignore it.
But it's not always even useful information - Bad Example might have
a cert from trustcenter.de because they take Visa cards at their spa,
but you may be on their _other_ web site that's selling cheap knockoffs of 
whatever the Example Inc. you were trying to deal with sells.
Your browser isn't smart enough to know that.

While DNSSEC mostly follows a hierarchical model, that doesn't mean
that you couldn't get some user-friendly or browser-friendly
certification model that does provide multi-homed values for
rating information about web sites - Consumer Reports or the
Better Business Bureau or whatever could do signed statements
about domain names without building it into DNS or SSL.








---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list