Re: [Asrg] Consent Proposal
Markus Stumpf <maex-lists-spam-ietf-asrg@Space.Net> Tue, 01 July 2003 23:58 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21531 for <asrg-archive@odin.ietf.org>; Tue, 1 Jul 2003 19:58:38 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0h-00063T-Ss for asrg-archive@odin.ietf.org; Tue, 01 Jul 2003 19:58:12 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h61Nw7EG023269 for asrg-archive@odin.ietf.org; Tue, 1 Jul 2003 19:58:07 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0h-00063E-Pd for asrg-web-archive@optimus.ietf.org; Tue, 01 Jul 2003 19:58:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21490; Tue, 1 Jul 2003 19:58:03 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XV0f-0002dq-00; Tue, 01 Jul 2003 19:58:05 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19XV0f-0002dn-00; Tue, 01 Jul 2003 19:58:05 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0d-00060B-96; Tue, 01 Jul 2003 19:58:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19XV0W-0005zS-Vs for asrg@optimus.ietf.org; Tue, 01 Jul 2003 19:57:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21479 for <asrg@ietf.org>; Tue, 1 Jul 2003 19:57:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19XV0U-0002dJ-00 for asrg@ietf.org; Tue, 01 Jul 2003 19:57:54 -0400
Received: from moebius2.space.net ([195.30.1.100] ident=qmailr) by ietf-mx with smtp (Exim 4.12) id 19XV0T-0002dC-00 for asrg@ietf.org; Tue, 01 Jul 2003 19:57:53 -0400
Received: (qmail 12726 invoked by uid 1013); 1 Jul 2003 23:57:53 -0000
From: Markus Stumpf <maex-lists-spam-ietf-asrg@Space.Net>
To: Danny Angus <danny@apache.org>
Cc: Yakov Shafranovich <research@solidmatrix.com>, asrg@ietf.org
Subject: Re: [Asrg] Consent Proposal
Message-ID: <20030702015753.F74353@Space.Net>
References: <5.2.0.9.2.20030701172458.00bd1de0@std5.imagineis.com> <HKEFKPNPJLANNFPFMDKJIEJOIIAA.danny@apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <HKEFKPNPJLANNFPFMDKJIEJOIIAA.danny@apache.org>; from danny@apache.org on Tue, Jul 01, 2003 at 10:54:46PM +0100
Organization: SpaceNet AG, Muenchen, Germany
X-PGP-Fingerprint: 66 F3 75 79 01 D0 B8 5F 1A C7 77 88 4A B6 70 DF
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 02 Jul 2003 01:57:53 +0200
On Tue, Jul 01, 2003 at 10:54:46PM +0100, Danny Angus wrote: > We can look outside the domain of mail to find workable examples of trust, > PGP and SSL both make provision for the inclusion of out-of-channel trust > verification. I suppose in this situation it is whom you choose to inherit > trust from, and ultimately your trusted root trust providers. I don't think so. WebSites use SSL because every newspaper told Joe User that a server without SSL is insecure and steals your credit card number. However there are lots of Root CAs with different pricing and different policies and to be honest I don't trust any of them getting it right. So the Joe Users get tricked but I don't think any of the more technically oriented gets really trust from a SSL CERT. Thawte for example tries to trick them even more. Go to http://www.thawte.com/ and check the "SiteSeal". You can plug an image on your website that should tell the visitor that this is a kewl secure site. They do a lot of technical stuff and Javascript to make it as sure as possible for spoofing, but Joe User only sees an image and he won't even understand the technic involved. So I copy a image over and now my site is also real kewl save and protected and no Joe User will ever notice it's a fake. Joe User will stop looking at the browsers security info page that gives the REAL security information but look at yet another picture and will be tricked into a not existing security. For PGP they create a "web of trust". Guess what happens if I get your public key from a keyserver. Then I create 200 fake certificates and sign your key and after that I revoke the signs and submit it back to the keyserver. Who do you think will trust your key any longer? There is no such thing as established working "trust" mechanisms in the Internet of today (IMHO!!) They all fail miserably as early as because of non existant working revocation spreading mechanisms. If I get a CERT from Verisign for 2 years and they revoke it after one year, who do you think will notice that? With their security breach some months ago antivirus producers added the falsly issued certs to their antigenes so that the end user has at least a very little chance to notice abuse. \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin" _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- RE: [Asrg] Consent Proposal Peter Kay
- [Asrg] Consent Proposal Mark McCarron
- Re: [Asrg] Consent Proposal Jon Kyme
- [Asrg] Trust, misunderstood? Danny Angus
- [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Barry Shein
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Peter Kay
- Re: [Asrg] Consent Proposal Selby Hatch
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Vernon Schryver
- RE: [Asrg] Consent Proposal Peter Kay
- RE: [Asrg] Consent Proposal Peter Kay
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Peter Kay
- [Asrg] Consent Proposal gep2
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Bob Wyman
- Anticipatory whitelisting (was Re: [Asrg] Consent… Bruce Stephens
- Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Jon Kyme
- Re: RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Barry Shein
- RE: [Asrg] Consent Proposal Peter Kay
- Re: [Asrg] Consent Proposal Walter Dnes
- Re: RE: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Jon Kyme
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: Fwd: Re: [Asrg] Consent Proposal Craig Cockburn
- Re: Fwd: Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: Anticipatory whitelisting (was Re: [Asrg] Con… Yakov Shafranovich
- Re: Fwd: Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Danny Angus
- RE: Fwd: Re: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Bob Wyman
- RE: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Howard Roth
- Re: RE: [Asrg] Consent Proposal Jon Kyme
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- RE: [Asrg] Consent Proposal Danny Angus
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Consent Proposal Danny Angus
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal C. Wegrzyn
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal C. Wegrzyn
- Re: [Asrg] Consent Proposal Markus Stumpf
- Re: [Asrg] Consent Proposal C. Wegrzyn
- Re: [Asrg] Consent Proposal Yakov Shafranovich
- Re: [Asrg] Trust, misunderstood? Yakov Shafranovich
- Re: [Asrg] Trust, misunderstood? C. Wegrzyn