[Cryptography] Toxic Combination
iang at iang.org
Mon Dec 8 10:48:21 EST 2014
On 8/12/2014 11:06 am, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
>> [Long, well thought-out reply]
> Thanks, that was pretty much what I was going to say. Just one minor nit:
>> On 4/12/2014 11:28 am, Ben Laurie wrote:
>>> they're all is a secret cartel to keep CAs in business? Really?
> Actually not quite, the CAB Forum isn't a secret cartel, they're quite public
> about what they do, and even have their own web site.
Ah, I had hoped to choose my words carefully, but maybe not.
CABForum may not be a secret cartel *now* but they certainly started as
one, and did the important work as one. And, they prepared the two key
documents in total secrecy, away from the public eye, then sprung them
on a naive public.
E.g., Baseline Requirements was 2 years in the making, and not a word
was breathed about that document in the Mozilla forums before it was
complete. Mozilla itself was working on the document in secret, while
talking the open talk on the open mailing list. It was a complete coup,
a pillaging of the Mozilla manifesto by insiders.
After Baseline Requirement was rammed through a false public comment
period using Mozilla's "open" list (yes I was there, it was rammed)
CABForum started to open up. Certain large users such as Paypal had
publically expressed serious reservations about being part of a secret
cartel by then, and the taint of truth was hard to shake.
But by then the damage was done -- the key documents were set in
contract and the end-user was totally screwed.
As to whether they are fully open now, I don't know, but I personally
doubt. We'd have to check the voting structure and see if you and I and
everyone with users' interest in mind can for example join and get a
vote, enough to outweigh the power of the vendors or the CAs. I'd bet
dollars to dust that they've structured it such that the CAs maintain
power, we can't for example overturn BR and put in some user-aligned
> Apart from that I agree with everything you've said.
ObCrypto: just another page in the history of why secure browsing ended
up where it is. Crypto is less a dual-purpose munition, more a
multi-bladed swiss army knife that'll make a mess of clumsy fingers.
More information about the cryptography