Re: [secdir] [TLS] secdir review of

"Jeffrey A. Williams" <> Fri, 24 September 2010 22:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D3283A6AC0; Fri, 24 Sep 2010 15:15:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.464
X-Spam-Status: No, score=-1.464 tagged_above=-999 required=5 tests=[AWL=0.820, BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A0--0CpZLpnt; Fri, 24 Sep 2010 15:15:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 345863A6A91; Fri, 24 Sep 2010 15:15:05 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327;; b=I8hsuBhNeUkoFqFeoP9Fn9By1K3xWOzCmQYrq/KFrNqN8WxY8PuGYwHceJsKTpWE; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [] ( by with esmtpa (Exim 4.67) (envelope-from <>) id 1OzGYK-00071t-8I; Fri, 24 Sep 2010 18:15:36 -0400
Received: from by with HTTP; Fri, 24 Sep 2010 18:15:35 -0400
Message-ID: <>
Date: Fri, 24 Sep 2010 17:15:35 -0500
From: "Jeffrey A. Williams" <>
To: Robert Relyea <>,
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688c2c6bf9cb4ca647aad8afc34653425aa350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Mailman-Approved-At: Fri, 24 Sep 2010 18:36:44 -0700
Subject: Re: [secdir] [TLS] secdir review of
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <>
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Sep 2010 22:15:22 -0000

bob and all,

  I think Bob's exactly right here.  Thanks bob for being
so concise.  >:)

-----Original Message-----
>From: Robert Relyea <>
>Sent: Sep 24, 2010 5:00 PM
>Subject: Re: [TLS] [secdir] secdir review of
>On 09/24/2010 01:29 PM, Martin Rex wrote:
>> Peter Saint-Andre wrote:
>>> For context, the "quoted advice" is mostly a description of current
>>> usage in some existing user agents. Incorporating Barry's suggestions,
>>> that text currently reads as follows in our working copy:
>>>       Security Note: Some existing interactive user agents give advanced
>>>       users the option of proceeding despite an identity mismatch.
>>>       Although this behavior can be appropriate in certain specialized
>>>       circumstances, in general it ought to be exposed only to advanced
>>>       users and even then needs to be handled with extreme caution, for
>>>       example by first encouraging even an advanced user to terminate
>>>       the connection and, if the advanced user chooses to proceed
>>>       anyway, by forcing the user to view the entire certification path
>>>       and only then allowing the user to accept the certificate on a
>>>       temporary basis (i.e., for this connection attempt and all
>>>       subsequent connection attempts for the life of the application
>>>       session, but not for connection attempts during future application
>>>       sessions).
>> This whole paragraph is evil and completely wrong.
>> It's bad enough that the web browser crowds replaced a useful option
>> and important security feature with an extremely evil scary page.
>No, this paragraph is exactly what should happen. Click through dialogs
>are demonsterably useless. They train users to ignore them. The only
>place for them is if you decide that validation is not necessary.
>> Offering to end-users, in a single-time-only leap-of-faith approach similar
>> to what SSH has been successfully doing since its invention to memorize
>> the peers certificate is magnitudes more secure than the endpoint
>> identification linking to one of a hundred trust anchors, provisionally
>> preconfigured by your software supplier.
>SSH is good for small numbers of point to point connections where the
>user controls both sides. SSH model is not appropriate for the general
>population connection to millions of webservers. That is why SSH is used
>extensively in admin deployments (where the admin controls both
>machines) and is not used for e-commerce. If you want that semantic use
>SSH. If you want security for the masses, use SSL (with full PKI).
>[ case where SSL is being used for an SSH use case deleted]

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300k members/stakeholders and growing, strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
Phone: 214-244-4827