[Cryptography] distrusted root CA: WoSign

ianG iang at iang.org
Tue Oct 4 16:48:38 EDT 2016 

On 3/10/2016 07:21 am, Ben Laurie wrote:
> On 2 October 2016 at 23:14, ianG <iang at iang.org> wrote:
...
>> Peter's rhetoric is actually a bit soft.  No security protocol can be
>> analysed outside the context of the users and institutions who field it.
>> The real place any change is blocked is CA/B Forum, the browsers, the IETF,
>> the CAs, the auditors and the software creators, all of whom are locked in a
>> deadly embrace.  And they like it that way, the incumbent people within are
>> mostly not volunteers as we might imagine in the open source world, but
>> instead are employed and paid to promote the model.
>>
>> So why would they change?
>
> Change to what?


Their paycheques?


>> CAB Forum was born in darkness, and grew in darkness.  They didn't open it
>> up until after they had laid down a new framework for standards that locked
>> in the old model even tighter.  Even when they opened it up, after two or
>> three years of secret policy preparation, they carefully made sure that no
>> open or outside or user-oriented voice would be able to change things.
>>
>>>> What is your proposed solution? Put up or shut up.
>>
>> This reminds me of the "where's your patch?" rhetoric.  The problem with
>> this lazy slap down
>
> Dude. You are talking to a guy who has spent four years improving the
> system instead of complaining it can't be improved. Don't call me
> lazy.

Not sure how one converts a lazy slapdown to being called lazy, but 
rhetoric isn't everyone's cup of tea.

And, if you want people to open the kimino and claim how many years each 
has tried to improve the system, let me add my ask:  we also divide by 
the salary we took while doing it.


> The problem with _your_ lazy slapdown is it is just more lame rhetoric.


Right.  We're now at the point where the reality hits - everything that 
is said by one side or the other is rhetoric.  Neither side can reach 
the other.  That's the point I was making.

You spent 4 years?  I probably spent 6 years following the "Mozilla open 
route."  Guess what - they're locked tight.  The openness at Mozilla is 
a travesty.  The last straw for me was not the CA/B Forum secret 
policies but the fact that Mozilla were routinely, regularly and 
secretly having private discussions with CAs about matters that were 
being debated openly - as if the open debate was important.

If even Mozilla can't be open, there's no hope.


>> is that a person could spend months writing a patch and
>> have it rejected.  It is pretty clear for example that if we send in a patch
>> for Chrome to implement say Jerry's idea or any of 100 ideas proposed, it
>> would go nowhere.
>
> I am not suggesting you write a patch, I am suggesting you propose
> something that actually works instead of whining about how the system
> is fixed. So far, I have seen no such proposal.


And you won't.  If I were to propose a solution like e.g. how we 
proposed certificate pinning back in the mid 2000s, the CA side (I won't 
say you) will come back and say, no that doesn't solve the problem.  Or, 
go see the IETF.  Or propose it to CA/BForum.  Or, that'll never work. 
Or, it's been tried.  Or, or, or.

Part - the honest part - of the problem is that we haven't decided who's 
problem we're solving.

If I could hazard a guess, you're solving google's problem.  I'm 
uninterested in that.  I'd like to solve the users' problem.  Pretty 
tough to square that triangle.


>> This doesn't mean you're wrong.  You could be right.  But the difference
>> between that and building the franchise, locking out others, is nothing.
>>
...
>> PKI is a tribe.  There is no way to change it.  And it is totally pointless
>> to even talk to the tribe about their religion.
>>
>> The only thing that can be done is to bypass it.  Totally.
>
> How?


QUIC was looking pretty nice ... but I hear they've added TLS 1.3 for 
the Kex.  Darn it.

TCPINC was looking great until somebody had the bright idea of putting 
TLS 1.3 into TCP.  I'm not sure where that is right now, I kind of got 
depressed when I realised the game theory of it - it was trivial for the 
NSA to just stuff exactly N sybils in there and keep it in deadlock.


>>>> What can you do that is radically better than CAs + transparency?


QUIC and no CAs.  Bloody brilliant.  TCPINC and bootstrap upwards.  Awesome.


>>> That is a fine question. I've not seen any good answers myself in
>>> the last 20 years which is a shame. I have seen many proposals for
>>> things that are a little better than X.509-based PKI, but none of
>>> them that were sufficiently better to displace the current, wildly
>>> imperfect, X.509-based PKI.
>>
>> They will never displace.  Any sufficiently good technology (and there are a
>> few) will not displace PKI-secured browsing but bypass it and create an
>> entirely new system.
>>
>>> I do think CT is an improvement though, and in the longer term may
>>> point to other solutions involving large databases of public keys.
>>> But I've yet to see one of those that might really take hold.
>>
>> CT is making its mark.  What is poignant is that it took a company with
>> google's resources and position to do it.  The notion that even google had
>> to work hard at it puts the lie to the notion that any one less could make
>> changes.
>
> Once more: what is the change that should be made?


Remember - I'm not saying what the change is to be, not any more, now 
that I've shown after a 6 year personal effort that no change is 
possible.  (Granted, not without a google.)

But, assuming someone wants to change - what is the objective of the 
change?  Who's security is being threatened?

Let's try one.  Mass surveillance.  Thousands of hacked Cisco and 
Juniper boxes (or however the NSA do it) are scarfing up all the traffic 
of the net they can copy.

By copying.  That's byte for byte, a technique that works because there 
is approximately zero crypto on the net.  How do we fix that?

Put crypto on the net.  Something like all browsers doing ADH to all 
servers would be ... like a year's work for interns, right?  It's a 
known mode, right?

What's the current ratio of open web traffic to encrypted web traffic?

Would ADH set back the NSA ?  Yes it would, it would force them to go 
active and attack the nodes they wanted, risking they were spotted. 
Which I'm quite happy to let them risk, because they'll take that risk 
if they are convinced it's bad guys they're chasing.

Dude.  We could talk for 4 years and never reach.


iang

More information about the cryptography mailing list