Using crypto against Phishing, Spoofing and Spamming...

Amir Herzberg herzbea at macs.biu.ac.il
Sun Jul 11 05:15:01 EDT 2004 

Ian Grigg wrote:

> This indeed is the crux of the weakness of the
> SSL/secure browsing/CA system.  The concept
> called for "all CAs are equal" which is an
> assumption that is easily shown to be nonsense.
Exactly. Browsers simply require sites to have a certificate from any 
CA. Browswers can't even specify a list of their prefered/acceptable 
CA... This made it easier for SSL to roll-out, but, like you say, made 
certificates into commodities and almost meaningless.
<skip>
> The essence of any fixes in the browsers should
> be to address the (rather fruitful) diversity
> amongst CAs, and help the user to make choices
> amongst the brands of same.
Agreed!
> 
> Some CAs are more equal than others... and the
> sooner a browser recognises this, the better.
Agreed! Except, I think that the user may also be involved in 
recognizing the more trustworthy CA, e.g. by including also a logo of 
the CA in the TCA - so I can see, `this site is IBM (since I see their 
logo) and this was validated by Verisign and/or the USPTO (since I see 
their `logo certified by` logo(s)).
> 
>>> These bodies could issue logo certificates.
Exactly!
>>
>> These certificates would only have value if there is extensive
>> verification.  We probably lack the technology to do that cheaply
>> right now, and the necessary level of international cooperation.
I'm not sure I agree here. I think that many logos (e.g. of 
international companies) are already well protected by the existing 
network of trade mark offices. As to smaller companies, they would be 
protected by the logo but also by including icons/seals of credentials 
in the Trusted Credentials Area. E.g., getting back to your example, a 
site such as Perry's, which contain professional crypto information, 
should be able to get a credential from organizations such as IACR or 
ACM or Financial Cryptography or... and I guess these places would not 
give a credential (certainly not to the same logo) for a resturant.

So, the site logo becomes more meaningful when accompanied by the Logo 
Certifying Authority logo, and/or by appropriate credentials.
> 
> I'm not sure I understand how logo certs would
> work, as there is still the possibility of same
> being issued by CA-Nigeria and having remarkable
> similarity to those issued by USPTO.
Let's not pick on Nigeria, but I get your point; but why should you set 
your browser to trust logo certificates from an LCA you don't trust?? 
The site can obtain multiple logo certificates if it wants its logo to 
be internentionally trusted.
> 
> Until the CA is surfaced and thrust at the face
> of the user, each browser's 100 or so root CAs
> will be a fundamental weakness.  Including of
> course the absence of CA, which is something
> that is nicely hidden from the user.
Agreed. We already planned to have the LCA's logo in the TCA but I'll 
modify the paper (and code) to make this more clear and visible. Thanks!

BTW, notice that by default, and considering there is no CA certifying 
logos yet afaik, you simply have to validate the (regular) certificate 
on the first time you get a public key from the server...
-- 
Best regards,

Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & 
security)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: herzbea.vcf
Type: text/x-vcard
Size: 303 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20040711/b62d27b9/attachment.vcf>

More information about the cryptography mailing list