lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Feb 2005 16:34:27 -0800 From: "David Schwartz" <davids@...master.com> To: <bkfsec@....lonestar.org> Cc: <kbo@....tiscali.de>, "Vincent Archer" <var@...y-all.com>, <bugtraq@...urityfocus.com>, "Scott Gifford" <sgifford@...pectclass.com> Subject: RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. > >No CA wants to find out what market forces will appear as > >soon as they > >prove to be untrustworthy. There are already many vehicles for > >immediately > >deploying blacklists. For example, Symantec could release an > >update for any > >of their security products that removed a root CA. It wouldn't take more > >than a small percent of web users to have a problem with a CA > >before people > >wouldn't want their certificates to be signed by that CA. > Symantec wouldn't do this. The backlash they would recieve from angry > users alone would be enough to discourage it, nevermind the potential > for legal problems. Then somebody else would. Market demand creates solutions. I can't see how the legal issues are any different from the ones they face when they label software as adware or spyware. > Comparing CA accountability to meat sales isn't a valid analogy. > Obviously, the CAs don't want to be regulated, but trusting them because > of this is a bit like saying that business owners would never short-pay > an employee because of fear of what the employees would do. No, that's not what I'm saying. I'm saying they might do it, and if they do, the mechanisms will appear immediately to fix it. > It's also like saying that corporations never form trusts and price fix > for fear of the consumer. No, they never do so because such strategies only work in very unusual circumstances. Nobody can make a person pay more for something than it is worth. > Obviously, both of these assumptions are wrong and the assumption > regarding CAs is also wrong. The fact that it is assumed in the first > place is *the problem*. I'm not assuming anything, I'm making an argument why it would be self-destructive for any CA to adopt such a strategy. That doesn't mean they won't do it, people certainly do stupid things when they think they can get away with it. But the fact is, CAs can't get away with it. So if they think they can, they will quickly be proven wrong. > Also, the fact that the CA market is competitive only further muddies > the waters. Not all CAs are in the same country and their competition > forces them to be price-competitive. This reduces the priority of being > responsible. Or, to use your meat analogy, mass-produced meat tends to > be of a lower quality than individually produced meat products, > particularly in unregulated countries. I could not disagree more. All a CA has to sell is its trust. The trust is its product. CAs sell trust, they are in the trust business. If a CA loses the trust of browser vendors, it has nothing to sell. If a CA loses the trust of users, pressure will be put on browser vendors. > People who think that the market will inherently protect them have been > reading too much Ayn Rand and need to step away from the > fiction-proposed-as-fact isle. No offense meant by that - it's said > tongue-in-cheek. :) Except that it does. Especially when all a company has to sell is its trust. This is true in many markets where companies have specifically set up to sell trust. You don't see people bribing the MPAA or Consumer Reports. Because such things could not possibly be hidden, and there's an immediate market remedy (stop trusting). DS
Powered by blists - more mailing lists