IETF Logo Mail Archive

Re: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication

Adam Langley <agl@google.com> Mon, 12 December 2011 15:43 UTC

Return-Path: <agl@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88D3621F8A71 for <pkix@ietfa.amsl.com>; Mon, 12 Dec 2011 07:43:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3SQOnxYJdwa0 for <pkix@ietfa.amsl.com>; Mon, 12 Dec 2011 07:43:32 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5B16921F863E for <pkix@ietf.org>; Mon, 12 Dec 2011 07:43:32 -0800 (PST)
Received: by qcsf15 with SMTP id f15so4311531qcs.31 for <pkix@ietf.org>; Mon, 12 Dec 2011 07:43:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=3zI8po6lr33hPGpXtILno5ni8T1BPwZxivd708PyaTY=; b=FtvVNFuuOzGrdPGPfg368zCWG9npvqs2Jdl55m9I8VPxGy5AYckKJGgfeHpNrNoFoV n81ihL6zvQJZnGMwj7nw==
Received: by 10.50.178.68 with SMTP id cw4mr15582311igc.31.1323704610360; Mon, 12 Dec 2011 07:43:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.178.68 with SMTP id cw4mr15582253igc.31.1323704609566; Mon, 12 Dec 2011 07:43:29 -0800 (PST)
Received: by 10.231.122.69 with HTTP; Mon, 12 Dec 2011 07:43:29 -0800 (PST)
In-Reply-To: <CB0B5640.2EE1%tmiller@mitre.org>
References: <CAL9PXLwC+oDOmrsZ7PBrPT1gX2LT61HHhYO9JGB7UwLDQf5Zbw@mail.gmail.com> <CB0B5640.2EE1%tmiller@mitre.org>
Date: Mon, 12 Dec 2011 10:43:29 -0500
Message-ID: <CAL9PXLwwvWcbigRex0GPSdciM1Z1ihcaaMwVwxNUE5xvvef6Bw@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: IETF PKIX WG <pkix@ietf.org>, Ben Laurie <ben@links.org>
Subject: Re: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 15:43:33 -0000

On Mon, Dec 12, 2011 at 8:21 AM, Miller, Timothy J. <tmiller@mitre.org> wrote:
> That's not quite what I was asking.  How does the browser know that the
> list of notaries provided with the proof are the "correct" notaries for
> the site?

There isn't a different set of notaries for each site. The browser
knows and trusts a set of notaries. An attacker can choose the
notaries that it gets to sign a certificate and, if it gets a quorum
of notaries, then it has broken the system.

> Now we arrive at the kernel of your concept.  You¹ve improved detection,
> but only detection after the fact.  I posit that the average user wants
> detection before the fact.

Yes, I agree. But we're not proposing such a scheme because we don't
want to do better, but because we don't realistically think that we
can achieve anything stronger.

We're claiming that this is a real improvement on the status quo. A
counter argument may be to suggest that limited resources would be
better spent elsewhere. That means showing that CT is better than all
the alternatives, which we believe that it is. You have a specific
example of a possible, better path below...

> Further, in re: usability: I'm sorry, but at least some research on this
> specific topic (and admittedly there isn't much) directly contradicts you.
>  E.g., I refer you to:
>
> Simson Garfinkle. "Johnny 2: A User Test of Key Continuity Management with
> S/MIME and Outlook Express". Talk or presentation,  9, September, 2005.

I'm always happy to see actual UI research :) But it's very unclear if
KCM/TOFU translates to the web.

Everything's fine until a key changes, and keys certainly change in
the real world. In personal interactions, there are always
possibilities to query to key change. Indeed, folks in the study tried
a form of this, even though they couldn't phone/talk due to the
constraints of the study: "Some settled on a form of Email Based
Identification and Authentication[2]: they sent an email message to the
attacker’s apparent campaign address to see if the attacker could read
and reply to such messages."

But KCM on the web means that we end up asking users the question:
"The key for www.bankofamerica.com has changed. Trust yes/no?". We
have numbers from opt-in Chrome users which suggests that people click
through our big, red interstitials at a very high rate. But let's
assume that they phone Bank of America and manage to get confirmation
of a fingerprint. (That would be a pretty stunning achievement in
itself!)

But websites are complex, what happens when a subresource fails and we
ask the user: "The key for tc50.akacdn.com has changed..."?


Cheers

AGL


Cheers

AGL

v2.46.0 | Report a Bug | By Email | System Status