Re: [TLS] EU cards

Yoav Nir <> Fri, 29 July 2011 11:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 495EE21F869D for <>; Fri, 29 Jul 2011 04:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.475
X-Spam-Status: No, score=-10.475 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qzLIfhgtnp6e for <>; Fri, 29 Jul 2011 04:33:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DF9A921F86A4 for <>; Fri, 29 Jul 2011 04:33:31 -0700 (PDT)
X-CheckPoint: {4E32A819-2-1B221DC2-FFFF}
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id p6TBXSR9016680; Fri, 29 Jul 2011 14:33:28 +0300
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 29 Jul 2011 14:33:28 +0300
Received: from ([]) by ([]) with mapi; Fri, 29 Jul 2011 14:33:27 +0300
From: Yoav Nir <>
To: Henry Story <>
Date: Fri, 29 Jul 2011 14:33:26 +0300
Thread-Topic: [TLS] EU cards
Thread-Index: AcxN41WLdK9DeIbuS/2zuFDgULSIOw==
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: " List" <>
Subject: Re: [TLS] EU cards
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jul 2011 11:33:34 -0000

On Jul 29, 2011, at 4:00 AM, Henry Story wrote:

> My take from this whole discussion is that PKI has been sold to unilaterally to one group of people. It has been sold to large banks and security heavy industries. They tend to make things more complicated, and their security people are too security conscious, having to deal with the most determined enemies. A good security profession in banks MUST like a good military man, be far from the daily family life. He is there to think about disasters, so that they don't happen, so that nobody should think about them. 
> What should happen instead is to lower the security requirements, and enter the mass market. Just as we don't put fort knox security on our houses, but use simple keys with well known security issues, so one should start using PKI in a cheap but useful way.

The well-known issues in keys allow an expert to invade a home and steal the big-screen TV. It does not allow the expert to automatically invade all 100,000,000 homes in the US and steal every TV. Computers are very good at automation.

> To get that ball rolling PKI has to be dirt cheap, and extremely useful. It has to be 
> - one click to create a throw away certificate
> - authenticate across all sites (as Facebook connect does)
> (-> tie into the social web)

So what would PKI (with throw-away certificates) bring to the table that facebook connect doesn't?

> That would provide a big enough improvement over passwords to get people interested, and it has a viral side to it. As soon as it works for enough people, those people become interested in getting others on board too.

I don't see why. Logging into my bank to check my account balance is not one of those activities I like to share with friends. This is totally different from watching a funny video on youtube or pictures of cats with witty remarks.

> With millions or billions of adopters you can create the momentum, and the mass market, that will make all the other problems easy to solve. If there were just a million active developers in open source software using PKI every day for checking in software and communicating with their peers, you would soon find the technology make its way into every web site, and browsers being adapted to make their interface easy to use. With mass adoption it would be much easier to solve all the other technological problems, because citizens and politicians would have an immediate understanding of what you were talking about.

Again, PKI without a trust relationship with an identity provider can make some protocols more efficient (compare OpenID to BrowserID) but it doesn't bring any new security to the table.