Date: Mon, 18 Aug 2003 16:49:01 -0700
From: jpierre@netscape.com (Julien Pierre)
Subject: Re: Re (subtopic): certificate issuance and trust
To: "Steve Hole" <steve.hole@messagingdirect.com>
cc: ietf-smime@imc.org
In-Reply-To: <EXECMAIL.20030818101458.A1101@kepler.esys.ca>
Message-ID: <3F4165ED.7@netscape.com>
References: <3F3DA098.1040008@netscape.com> <3F3C4C43.6010205@netscape.com>
 <3F3AF421.6060008@netscape.com>
 <2A1D4C86842EE14CA9BC80474919782E01112FFC@mou1wnexm02.verisign.com>
 <001301c360ef$41128990$0500a8c0@arport>
 <EXECMAIL.20030814103028.E@kepler.messagingdirect.com>
 <EXECMAIL.20030815124859.C1437@kepler.esys.ca>
 <EXECMAIL.20030818101458.A1101@kepler.esys.ca>
Organization: Netscape
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
 micalg=sha1; boundary="------------ms010704000904080802040505"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk


This is a cryptographically signed message in MIME format.

--------------ms010704000904080802040505
Content-Type: TEXT/PLAIN; CHARSET=us-ascii

Steve

Steve Hole wrote on 08/18/2003, 10:14:

 > I talk about cost a lot.   The average cost of a call to support is $18,
 > so it needs to be avoided at all costs (pun intended).
 >
 > The interfaces provided by IE and/or Netscape provide much simpler,
 > not so
 > "in-your-face" UI for cert management when there is no trust involved.

It sounds to me like your grief is not with so much with the current 
trust model and PKI or S/MIME specifications, but with certain vendor 
implementations. I'm afraid that's something you have to work with these 
vendors.

 > > What are the advantages of these pseudo-security products ?
 >
 > They avoid certification.
 >
 > They address the 36% of the Internet that doesn't use or have access to
 > S/MIME software -- primarily AOL, Yahoo!Mail and Hotmail.   If your in a
 > model 2 scenario you MUST do something useful with those and the solution
 > is psuedo security.   Interestingly, it seems good enough for most
 > people,
 > especially if it avoids calls to service reps.

AOL will be taken care of, eventually. The newest client software (AOL 
Communicator) already supports S/MIME. There are still issues with the 
mail servers unfortunately so it doesn't work today. Encryption works 
through it, but signing doesn't (sigh).

Webmail in general is a problem and cannot be truly taken care of, 
unless the user is willing to trust his ISP with his private key - e.g.. 
by uploading a PKCS12 file ...

Another solution might be some sort of Java applet that would decrypt 
the message. But it would have to know about each webmail provider and 
the layout, so it would be icky.

Perhaps some standard for webmail is the only solution - e.g.. a MIME 
type transmitted over HTTP that would allow the browser to invoke the 
proper S/MIME client.

 > This sucks!

In general the users don't have only webmail access though, they 
typically have a mailbox from their access ISP which can work with the 
S/MIME clients that already exist today.

 > Well, I'm not an expert on ISP business models.   Everything I've ever
 > been told suggests that there is almost no margin in the business model
 > and additional costs are hard to bear or pass through.   For this you
 > have
 > to convince the masses that security is what they want, and I can tell
 > you
 > from experience that that is a very difficult thing to do.   And my
 > experience comes from a business usage perspective where the content
 > definitely is sensitive in nature -- much more so that most email between
 > Mom and Aunt Jane.

I'm not an expert on this business model either either, but look at the 
latest AOL ads - "safe broadband", etc. This is certainly an area in 
which consumers are being educated right now, and security is something 
that consumers are getting interested in. I personally think there is 
hope for mass S/MIME deployment in the not so-distant future.

 > If you can acquire a delegated cert.   We haven't check recently, but 6
 > months ago we couldn't buy one.    Thawte used to sell them for $100K,
 > but
 > since have discontinued because there was no business there.   We should
 > go check again.   It was the simple and obvious thing to do, but because
 > there was nobody doing it, the service wasn't offerred by the CA's.

We have had our own chained CA chained with a known public root at 
Netscape for years. We did change issuer a couple times. Our current one 
is GTE. I think previously we used Verisign. I wasn't the one dealing 
with it, and I don't know the cost, but I can tell you that the service 
exists. Since there are about 100 known roots now, you could go to any 
of them and ask about the service. I think I read year's that RSA 
Security was offering that service as well, and it cost less than $100k.

 > The client would have to have some secure means of "synchronizing" it's
 > cache to a centralized service.   You get this with Microsoft services by
 > downloading a cert package from Windows Update.   The problem is that it
 > only works for Windows products (at least that way) and we need something
 > that is vendor independent.   The approach seems OK to me as long as
 > it is
 > "automatic".

Yes. We need a standard way of distributing root. We also need a way of 
distributing trust, ie. a subscriber model.
It sounds to me like this proposal belongs on the PKIX list, so maybe we 
should move it there.
I don't see the root distribution problem as a major roadblock to 
deployment today since the services for getting chained CAs exists.

 > Seems logical.   In practice we were unable to make it happen.   We
 > needed
 > to go through special negotiation because it wasn't a standard service
 > offering and there was a serious price issue for the signing cert.

Yes, it may not be a standard service, but if you need it there is far 
more than one issuer to go to these days.

 > In Netscape, yes.   In others no.   You actually get a Hex dump of the
 > cert with a message that says something like "Do you trust this
 > certificate with policy blah blah".   About 45% of the test group stopped
 > at this point.   Most of our customers simply said "too complex, too
 > scary".

As I recall IE brings up something similar to Netscape when the root is 
untrusted. What is the "other" software that is so inflexible ? It seems 
to me that you need to take it up with the software vendor.

 > Yes, I know it should be scary etc.   The problem is that the average
 > user
 > just doesn't get it, doesn't want to get it.  It's a barrier to uptake.
 > For the model 2 usage scenario uptake is everything because the economic
 > benefit is based on paper suppression and resulting cost reductions.
 >
 > That's all.

You can't require everybody to move to the S/MIME model at once. Even if 
a small percentage starts using it, the cost of printing and mailing is 
high. If you eliminate things like printed monthly statements, it 
shouldn't take a bank more than a small percentage of users to move to 
S/MIME to recoup its costs or actually profit.

 > >  > First of all, $0.01 per cert for 25M customers is $2.5M annually.
 > >
 > > No, it is $250,000 .
 >
 > Woops ... dislexic on the cost per cert.   The cheapest price we got was
 > $0.10 (man, I *looked* that at least five times too - senility).

That's still very low, but it's also likely less than the cost of 
printing and sending a single traditional communication.

 > Anyway,
 > the numbers weren't randomly chosen.  They were the numbers that we used
 > in an actual RFP response in which the customer eventually took the
 > one-way signing + encryption and decided against two-way with
 > bidirectional signing.   The actual cost was $2.5M per year.
 >
 > Security costs.  My example was intended to show that, in this
 > instance at
 > least, it costs too much even for relatively rich organizations.

I also know there are other financial organizations that spend much more 
on better security, and get more returns out of it. Look at credit card 
issuers starting to use smartcards. They have to bear the cost of the 
hardware in addition to the certs. They have millions of customers too. 
But some are doing it still (Amex). In Europe banks have been using 
smart chips on bank cards for decades. And believe it or not, they have 
been charging each customer to get those bank cards, too. Every bank 
over there is doing it though, because it reduces the transaction costs. 
We are not talking 10 cents per chip. With current generation smartcards 
they could afford to throw in certs for email as an extra and also 
eliminate the paper statements. Many of the issuers already have their 
own public roots to do it.

-- 
I am the dog in dogfood



--------------ms010704000904080802040505
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK+jCC
A1cwggLAoAMCAQICAwpBMjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl
bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAzMDYzMDIxMjQwMFoXDTA0MDYyOTIxMjQwMFowgYIx
DzANBgNVBAQTBlBpZXJyZTEPMA0GA1UEKhMGSnVsaWVuMRYwFAYDVQQDEw1KdWxpZW4gUGll
cnJlMSMwIQYJKoZIhvcNAQkBFhRqcGllcnJlQG5ldHNjYXBlLmNvbTEhMB8GCSqGSIb3DQEJ
ARYSbWFkYnJhaW5AcmF3YncuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
yifKcMKlTYGJ06ltDGQUcwqnWv0I+GegpPVluxR2MvRTunWog7k4ZlmDoFRIpZHOlmxC3K9q
Jda876lUkonNNdDgS87qGyWIxylrzLNFfiZBKzcx2ivSiLkz9GXihPQLtv5z/slSEGYNPafh
HaWcm01oLrywNbhY4zb9qAgru3vw+4ZFRCqNE1wgZoZAGxgGNiO4jWUSN3HNqk9ZGTyC+Adp
Tzmms8TXMA69PUZgyK6WwMwzsWHPnx008hmVpAzHyYcX0ZHKCoF/h5PSOHptCKMzZ0IOz9gB
F3ngNZxXEoEsle0Ynnu7I5/CcYO3NmBoH7fWsFwfl1cbl8v1oIX2lQIDAQABo0UwQzAzBgNV
HREELDAqgRRqcGllcnJlQG5ldHNjYXBlLmNvbYESbWFkYnJhaW5AcmF3YncuY29tMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAuTVM8HQ/hcLrNzrtCm/4tuRXXxxf6HQW4pxu
0Pojr49aloK7MX3ZVTHGpnRlMuxKNyHgjh7aAFM66GgaRticjuYEQOAPCz0VAR25nkV87ONK
D8CVo///cL7Xy5T8B9d0NQVo0zdK4GjPRabIi3woNF1fbvzZXUwhNRDJh5MaSoUwggOSMIIC
+6ADAgECAgQEAAMRMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9H
VEUgQ29ycG9yYXRpb24xHDAaBgNVBAMTE0dURSBDeWJlclRydXN0IFJvb3QwHhcNMDMwODA3
MTQwNjAwWhcNMDQwODA3MjM1OTAwWjCBkzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1Nb3VudGFpbiBWaWV3MRswGQYDVQQKExJBbWVyaWNhIE9ubGluZSBJbmMxGTAX
BgNVBAsTEEFPTCBUZWNobm9sb2dpZXMxJzAlBgNVBAMTHkludHJhbmV0IENlcnRpZmljYXRl
IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4u9fLHZDiUsaX7Pl+Kpv
iy+BTWf/vUoPYy7E3IX2nixJJiD/ABfkiIhp3v2DV+CjERkRqtbcvO+z0hUuVMZufL/ZucNG
0wkFhOVTXEjthIWaDjs9Fgdc8LN5q5oQpbzBpNF4TAblZEH8BSVjJuvvDMduVKGMzlRXth+S
2rISS40CAwEAAaOCAT4wggE6MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGlj
LXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDA2L2NkcC5jcmwwHQYDVR0OBBYEFCnbsi2Dfn+L
I7vCzGa5Oegp8wKGMFQGA1UdIARNMEswSQYKKoZIhvhjAQIBBTA7MDkGCCsGAQUFBwIBFi1o
dHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vQ1BTL09tbmlSb290Lmh0bWwwWAYDVR0jBFEw
T6FJpEcwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UE
AxMTR1RFIEN5YmVyVHJ1c3QgUm9vdIICAaMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI
MAYBAf8CAQEwDQYJKoZIhvcNAQEFBQADgYEAQyL9bXdvIuqlX+GUiI5s0kxfCeUovkr7qTuc
rXa0vizFB6/md/zNy0uCTtQnTX99HdJp4GWjFlsUc510rsfyDt6goK5C12l90nKSILxfRfRJ
FfWUz7n6KhsXM9TdkVjd6TpCdSZunuSQC0YeVQPQ81t5joJvuEK3BJrvIjYWyj4wggQFMIID
bqADAgECAgJvwjANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRswGQYDVQQKExJBbWVyaWNhIE9ubGluZSBJbmMx
GTAXBgNVBAsTEEFPTCBUZWNobm9sb2dpZXMxJzAlBgNVBAMTHkludHJhbmV0IENlcnRpZmlj
YXRlIEF1dGhvcml0eTAeFw0wMzA3MjQwMTMzMzNaFw0wNDAxMjAwMTMzMzNaMIGAMQswCQYD
VQQGEwJVUzEbMBkGA1UEChMSQW1lcmljYSBPbmxpbmUgSW5jMRcwFQYKCZImiZPyLGQBARMH
anBpZXJyZTEjMCEGCSqGSIb3DQEJARYUanBpZXJyZUBuZXRzY2FwZS5jb20xFjAUBgNVBAMT
DUp1bGllbiBQaWVycmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJRH1n1wZFA1kQtF
pA/5Uj02qgE0xUEdc/yAIGmvkuw/+5AF/Jx5MBGQtnd7rAkAwMWdkPFtKKS5+ZGYZ56JPqiu
KjHMV5SLCPjbIqXWPTynLZ2AFYKprCvkkTiNr/M7r2GxO0Rt3qzK7XEqh3rngY99waETvr7F
UEQasj70QCBFAgMBAAGjggF3MIIBczAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDBDBglghkgBhvhCAQ0ENhY0SXNzdWVkIGJ5IE5ldHNjYXBlIENl
cnRpZmljYXRlIE1hbmFnZW1lbnQgU3lzdGVtIDQuNTCBlwYDVR0RBIGPMIGMgRRqcGllcnJl
QG5ldHNjYXBlLmNvbYEWanVsaWVuX3BpZXJyZUBtY29tLmNvbYEQanBpZXJyZUBtY29tLmNv
bYEaanVsaWVuX3BpZXJyZUBuZXRzY2FwZS5jb22BFGpwaWVycmUwMjY0QG1jb20uY29tgRhq
cGllcnJlMDI2NEBuZXRzY2FwZS5jb20wHwYDVR0jBBgwFoAUKduyLYN+f4sju8LMZrk56Cnz
AoYwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vY2VydGlmaWNhdGVzLm5l
dHNjYXBlLmNvbS9vY3NwMA0GCSqGSIb3DQEBBAUAA4GBALNoiuK23ARWkrVPz3eQhHIrToXU
xC3CfxLnAkFrwMPiNHnwrzPn6Zeflnft/jquv8qyfdgCjnDcznXpfYCUa6ZtBG6uFyzwZy8Y
QOICI6vJy7gx1HqewsPeaFNk2fFHdXucqLnYQOTpe1XytWfQ8q4VcxmfDD0/d/ag+top1GuK
MYIDVDCCA1ACAQEwgZowgZMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEbMBkGA1UEChMSQW1lcmljYSBPbmxpbmUgSW5jMRkwFwYDVQQLExBB
T0wgVGVjaG5vbG9naWVzMScwJQYDVQQDEx5JbnRyYW5ldCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkCAm/CMAkGBSsOAwIaBQCgggIPMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTAzMDgxODIzNDkwM1owIwYJKoZIhvcNAQkEMRYEFErSVhtWs4vnA82IY7im
6/6nCiwQMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G
CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGrBgkrBgEEAYI3EAQxgZ0w
gZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh
cGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNl
czEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCkEyMIGtBgsq
hkiG9w0BCRACCzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRp
ZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44
LjMwAgMKQTIwDQYJKoZIhvcNAQEBBQAEgYCRRoppGoWCPNpRdTJv4lNGEmqEQPOMLB9DzmPR
7evOq4/0AT1AXOV3VPEwIGR3oOnpPtjoOe4FPbXQjRLwC8TaglZdwD0gQHw2wa10n1azDS0U
hHgjt/VwD8qCVHDP2N5QNcBvRkrqKJNF47geBowK41SnzFa0i30mDm1epy8dZQAAAAAAAA==

--------------ms010704000904080802040505--