IETF Logo Mail Archive

Re: [Asrg] Consent Proposal

Markus Stumpf <maex-lists-spam-ietf-asrg@Space.Net> Tue, 01 July 2003 23:58 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21531 for <asrg-archive@odin.ietf.org>; Tue, 1 Jul 2003 19:58:38 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0h-00063T-Ss for asrg-archive@odin.ietf.org; Tue, 01 Jul 2003 19:58:12 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h61Nw7EG023269 for asrg-archive@odin.ietf.org; Tue, 1 Jul 2003 19:58:07 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0h-00063E-Pd for asrg-web-archive@optimus.ietf.org; Tue, 01 Jul 2003 19:58:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21490; Tue, 1 Jul 2003 19:58:03 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XV0f-0002dq-00; Tue, 01 Jul 2003 19:58:05 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19XV0f-0002dn-00; Tue, 01 Jul 2003 19:58:05 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0d-00060B-96; Tue, 01 Jul 2003 19:58:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0W-0005zS-Vs for asrg@optimus.ietf.org; Tue, 01 Jul 2003 19:57:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21479 for <asrg@ietf.org>; Tue, 1 Jul 2003 19:57:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XV0U-0002dJ-00 for asrg@ietf.org; Tue, 01 Jul 2003 19:57:54 -0400
Received: from moebius2.space.net ([195.30.1.100] ident=qmailr) by ietf-mx with smtp (Exim 4.12) id 19XV0T-0002dC-00 for asrg@ietf.org; Tue, 01 Jul 2003 19:57:53 -0400
Received: (qmail 12726 invoked by uid 1013); 1 Jul 2003 23:57:53 -0000
From: Markus Stumpf <maex-lists-spam-ietf-asrg@Space.Net>
To: Danny Angus <danny@apache.org>
Cc: Yakov Shafranovich <research@solidmatrix.com>, asrg@ietf.org
Subject: Re: [Asrg] Consent Proposal
Message-ID: <20030702015753.F74353@Space.Net>
References: <5.2.0.9.2.20030701172458.00bd1de0@std5.imagineis.com> <HKEFKPNPJLANNFPFMDKJIEJOIIAA.danny@apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <HKEFKPNPJLANNFPFMDKJIEJOIIAA.danny@apache.org>; from danny@apache.org on Tue, Jul 01, 2003 at 10:54:46PM +0100
Organization: SpaceNet AG, Muenchen, Germany
X-PGP-Fingerprint: 66 F3 75 79 01 D0 B8 5F 1A C7 77 88 4A B6 70 DF
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 02 Jul 2003 01:57:53 +0200

On Tue, Jul 01, 2003 at 10:54:46PM +0100, Danny Angus wrote:
> We can look outside the domain of mail to find workable examples of trust,
> PGP and SSL both make provision for the inclusion of out-of-channel trust
> verification. I suppose in this situation it is whom you choose to inherit
> trust from, and ultimately your trusted root trust providers.

I don't think so.

WebSites use SSL because every newspaper told Joe User that a server
without SSL is insecure and steals your credit card number. However
there are lots of Root CAs with different pricing and different
policies and to be honest I don't trust any of them getting it right.
So the Joe Users get tricked but I don't think any of the more
technically oriented gets really trust from a SSL CERT.
Thawte for example tries to trick them even more. Go to http://www.thawte.com/
and check the "SiteSeal". You can plug an image on your website that
should tell the visitor that this is a kewl secure site. They do a lot
of technical stuff and Javascript to make it as sure as possible for
spoofing, but Joe User only sees an image and he won't even understand
the technic involved. So I copy a image over and now my site is also
real kewl save and protected and no Joe User will ever notice it's a fake.
Joe User will stop looking at the browsers security info page that gives
the REAL security information but look at yet another picture and will
be tricked into a not existing security.

For PGP they create a "web of trust".
Guess what happens if I get your public key from a keyserver. Then I
create 200 fake certificates and sign your key and after that I revoke
the signs and submit it back to the keyserver. Who do you think will
trust your key any longer?

There is no such thing as established working "trust" mechanisms in the
Internet of today (IMHO!!) They all fail miserably as early as because of
non existant working revocation spreading mechanisms. If I get a CERT
from Verisign for 2 years and they revoke it after one year, who do you
think will notice that? With their security breach some months ago
antivirus producers added the falsly issued certs to their antigenes
so that the end user has at least a very little chance to notice abuse.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email