Re: [TLS] EU cards

Henry Story <henry.story@bblfish.net> Fri, 29 July 2011 08:00 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49CF421F8B6D for <tls@ietfa.amsl.com>; Fri, 29 Jul 2011 01:00:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.928
X-Spam-Level:
X-Spam-Status: No, score=-2.928 tagged_above=-999 required=5 tests=[AWL=0.671, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCbD6sc+wTld for <tls@ietfa.amsl.com>; Fri, 29 Jul 2011 01:00:24 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id C784721F87D9 for <tls@ietf.org>; Fri, 29 Jul 2011 01:00:23 -0700 (PDT)
Received: by wyj26 with SMTP id 26so356649wyj.31 for <tls@ietf.org>; Fri, 29 Jul 2011 01:00:22 -0700 (PDT)
Received: by 10.227.165.202 with SMTP id j10mr1535488wby.18.1311926422540; Fri, 29 Jul 2011 01:00:22 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-161-132.w81-249.abo.wanadoo.fr [81.249.172.132]) by mx.google.com with ESMTPS id eo18sm1520897wbb.29.2011.07.29.01.00.20 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jul 2011 01:00:21 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset=iso-8859-1
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <4E326283.3030005@telia.com>
Date: Fri, 29 Jul 2011 10:00:19 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DB557E02-F20B-4775-980E-1010F1C6929F@bblfish.net>
References: <E1QmgO0-0006w9-NS@login01.fos.auckland.ac.nz> <4E326283.3030005@telia.com>
To: Anders Rundgren <anders.rundgren@telia.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: stefan.winter@restena.lu, martin.gaedke@informatik.tu-chemnitz.de, tls@ietf.org
Subject: Re: [TLS] EU cards
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2011 08:00:25 -0000

My take from this whole discussion is that PKI has been sold to unilaterally to one group of people. It has been sold to large banks and security heavy industries. They tend to make things more complicated, and their security people are too security conscious, having to deal with the most determined enemies. A good security profession in banks MUST like a good military man, be far from the daily family life. He is there to think about disasters, so that they don't happen, so that nobody should think about them. 

What should happen instead is to lower the security requirements, and enter the mass market. Just as we don't put fort knox security on our houses, but use simple keys with well known security issues, so one should start using PKI in a cheap but useful way. Of course PKI has to solve a problem that passwords don't solve, otherwise they can't get traction. But they don't have to solve EVERY security problem. 

To get that ball rolling PKI has to be dirt cheap, and extremely useful. It has to be 
 - one click to create a throw away certificate
 - authenticate across all sites (as Facebook connect does)
 (-> tie into the social web)
 
 That would provide a big enough improvement over passwords to get people interested, and it has a viral side to it. As soon as it works for enough people, those people become interested in getting others on board too.

 With millions or billions of adopters you can create the momentum, and the mass market, that will make all the other problems easy to solve. If there were just a million active developers in open source software using PKI every day for checking in software and communicating with their peers, you would soon find the technology make its way into every web site, and browsers being adapted to make their interface easy to use. With mass adoption it would be much easier to solve all the other technological problems, because citizens and politicians would have an immediate understanding of what you were talking about. 

That is what http://webid.info/ offers. Start with the low hanging problems: passwords. Then move on to add technology piece by piece to move up the security ladder.  This is the way technology works. Microsoft started with DOS and moved its way up to more and more secure versions of Windows - whatever you think of their OS you can't deny that that was a very successful strategy.

   Henry

On 29 Jul 2011, at 09:34, Anders Rundgren wrote:

> On 2011-07-29 08:17, Peter Gutmann wrote:
>> Anders Rundgren <anders.rundgren@telia.com>; writes:
>> 
>>> Dropping HTTPS CCA, it will never leave the 0.1% slot anyway so why would the 
>>> browser vendor bother about how it works?
>>> 
>>> Now to the cards: Since
>>> 1. readers is a non-standard item
>>> 2. all cards need different middleware
>>> 3. cannot be fitted with additional certificates
>>> 4. is generally only trusted by a restricted group
>>> 5. commercial CAs require certified RP SW, contracts this is simply put 
>>> entirely uninteresting
>> 
>> You forgot 2a:
>> 
>> 2a. The middleware is buggy, unstable, only works on certain system 
>> configurations or on certain hardware, prevents or upsets normal operation of 
>> the system it's installed on, etc.  Vendors mostly ignore bug reports, and 
>> aren't interested in updating their drivers unless you go back and buy another 
>> half-million cards.
> 
> You are [unfortunately] quite right.  The (relative) success smart cards have
> had in controlled environment such as payment terminals cannot be translated
> to the completely uncontrolled consumer computer base.
> 
> I see two possibilities:
> 1. The easy one.  Let Apple with iPhone/iPad provide us with the "container".
> 2. Define a new container where the interface is strict and support provisioning
> so that even Joe Sixpack can succeed.  This is my take on the subject which
> though is about 100 times more difficult than what Apple needs to do so
> I guess I'm an idiot even trying...
> http://webpki.org/auth-token-4-the-cloud.html

> I just don't like the idea of going from an OS monopoly to a fullblown
> OS + Device + Infrastructure monopoly. Banks and Governments have little
> to compete with and will also [much too] late realize they're screwed.
> 
> Anders
> 
>> 
>>> The government cards are status projects.  We have issued x millions cards.  
>> 
>> I tend to refer to them as "government charities", but that's more or less the 
>> same thing.
> 
> :-)
> 
> Anders
> 

Social Web Architect
http://bblfish.net/