[Cryptography] Toxic Combination

ianG iang at iang.org
Mon Dec 8 10:48:21 EST 2014

On 8/12/2014 11:06 am, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
>> [Long, well thought-out reply]
> Thanks, that was pretty much what I was going to say.  Just one minor nit:
>> On 4/12/2014 11:28 am, Ben Laurie wrote:
>>> they're all is a secret cartel to keep CAs in  business? Really?
>> Yes,
> Actually not quite, the CAB Forum isn't a secret cartel, they're quite public
> about what they do, and even have their own web site.

Ah, I had hoped to choose my words carefully, but maybe not.

CABForum may not be a secret cartel *now* but they certainly started as 
one, and did the important work as one.  And, they prepared the two key 
documents in total secrecy, away from the public eye, then sprung them 
on a naive public.

E.g., Baseline Requirements was 2 years in the making, and not a word 
was breathed about that document in the Mozilla forums before it was 
complete.  Mozilla itself was working on the document in secret, while 
talking the open talk on the open mailing list.  It was a complete coup, 
a pillaging of the Mozilla manifesto by insiders.

After Baseline Requirement was rammed through a false public comment 
period using Mozilla's "open" list (yes I was there, it was rammed) 
CABForum started to open up.  Certain large users such as Paypal had 
publically expressed serious reservations about being part of a secret 
cartel by then, and the taint of truth was hard to shake.

But by then the damage was done -- the key documents were set in 
contract and the end-user was totally screwed.

As to whether they are fully open now, I don't know, but I personally 
doubt.  We'd have to check the voting structure and see if you and I and 
everyone with users' interest in mind can for example join and get a 
vote, enough to outweigh the power of the vendors or the CAs.  I'd bet 
dollars to dust that they've structured it such that the CAs maintain 
power, we can't for example overturn BR and put in some user-aligned 

> Apart from that I agree with everything you've said.


ObCrypto:  just another page in the history of why secure browsing ended 
up where it is.  Crypto is less a dual-purpose munition, more a 
multi-bladed swiss army knife that'll make a mess of clumsy fingers.


More information about the cryptography mailing list