[Cryptography] USB 3.0 authentication: market power and DRM?
Ray Dillinger
bear at sonic.net
Mon May 2 13:08:21 EDT 2016
I'm seeing this whole thing as an attempt to prop
up CA's which are otherwise essentially looking at
a failed business model. Even if CA's did what
they're supposed to do there would be no way for
that business to function in the market of USB
equipment.
CA's were supposed to verify identities, respond
to authentication attacks, handle revocations, etc.
The race to the bottom and their business "need"
to support stupid security decisions ("compatibility"
means, if someone is stupid once, therefore everybody
must be stupid forever!) meant, inevitably, that
they only verify that their payments clear.
Certification of USB equipment doesn't even
pretend to have key revocation capabilities or
any way of responding to authorization attacks.
By design it pretty much can't. Which means that
there is literally nothing CA's can contribute
to it. You can tell some piece of kit presents
a key which was valid, for somebody, once. Woo.
Does that, in some way, help?
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160502/bd65399e/attachment.sig>
More information about the cryptography
mailing list