Re: [TLS] EU cards

Henry Story <> Sat, 30 July 2011 08:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7832621F87ED for <>; Sat, 30 Jul 2011 01:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.539
X-Spam-Status: No, score=0.539 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FUZZY_CREDIT=1.238, J_CHICKENPOX_24=0.6, MANGLED_CREDIT=2.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jLthAWPwU7HM for <>; Sat, 30 Jul 2011 01:41:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6F02721F84EB for <>; Sat, 30 Jul 2011 01:41:14 -0700 (PDT)
Received: by wyj26 with SMTP id 26so287931wyj.31 for <>; Sat, 30 Jul 2011 01:41:13 -0700 (PDT)
Received: by with SMTP id a4mr3234984wbb.46.1312015273609; Sat, 30 Jul 2011 01:41:13 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id eo18sm2397675wbb.63.2011. (version=TLSv1/SSLv3 cipher=OTHER); Sat, 30 Jul 2011 01:41:12 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset=iso-8859-1
From: Henry Story <>
In-Reply-To: <>
Date: Sat, 30 Jul 2011 10:41:09 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.1244.3)
Cc: " List" <>
Subject: Re: [TLS] EU cards
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 30 Jul 2011 08:41:20 -0000

On 29 Jul 2011, at 13:33, Yoav Nir wrote:

> On Jul 29, 2011, at 4:00 AM, Henry Story wrote:
>> My take from this whole discussion is that PKI has been sold to unilaterally to one group of people. It has been sold to large banks and security heavy industries. They tend to make things more complicated, and their security people are too security conscious, having to deal with the most determined enemies. A good security profession in banks MUST like a good military man, be far from the daily family life. He is there to think about disasters, so that they don't happen, so that nobody should think about them. 
>> What should happen instead is to lower the security requirements, and enter the mass market. Just as we don't put fort knox security on our houses, but use simple keys with well known security issues, so one should start using PKI in a cheap but useful way.
> The well-known issues in keys allow an expert to invade a home and steal the big-screen TV. It does not allow the expert to automatically invade all 100,000,000 homes in the US and steal every TV. Computers are very good at automation.

That is why no banks just accepts crédit card transactions automatically. They check the recent pattern of activities and compare it to someone's usual pattern of activity. TLS does not remove the need to keep doing this type of checking. 

Again we have here the knee jerk security reaction that tries to compare TLS with an ideal technology which does not exist, and then finds it wanting.

Consider also that most web sites one has access to don't have anything to steal. If you do propose financial transactions, then just add extra levels of verification.

>> To get that ball rolling PKI has to be dirt cheap, and extremely useful. It has to be 
>> - one click to create a throw away certificate
>> - authenticate across all sites (as Facebook connect does)
>> (-> tie into the social web)
> So what would PKI (with throw-away certificates) bring to the table that facebook connect doesn't?

Complete decentralization. Banks, companies, personal servers can all participate. There is a short video on that explains that. If you find that interesting you can also see the paper I presented at the first conference "Web & Philosophy" sponsored by the W3C that is on my home page.

>> That would provide a big enough improvement over passwords to get people interested, and it has a viral side to it. As soon as it works for enough people, those people become interested in getting others on board too.
> I don't see why.

That is because you have not yet understood the distributed nature of WebID, as your previous question revealed.

> Logging into my bank to check my account balance is not one of those activities I like to share with friends. This is totally different from watching a funny video on youtube or pictures of cats with witty remarks.

You would not be going to your bank account as a social site to chat with people. But you could potentially use your bank certificate to authenticate on other sites. (This is something that would require some brainstorming - think of these few paragraphs as an initial lightenging.) The Bank would put it's webid in the Issuer Alternative Name. Every country could publish a list of its legal banks and those it recognized from other countries.  Perhaps the US would publish in a file containing among other things the following relation

<> a us:Bank .

So here the social part is not in who you know, but who knows your bank. And of course at that level it is states and the global network of states that form the apropriate social partners.

In a banking situation your WebID is not linked to by friends, but more by commercial transactions. Your bank webid could be

If you noticed a problem with your private key it's public key would be removed from that document. 

>> With millions or billions of adopters you can create the momentum, and the mass market, that will make all the other problems easy to solve. If there were just a million active developers in open source software using PKI every day for checking in software and communicating with their peers, you would soon find the technology make its way into every web site, and browsers being adapted to make their interface easy to use. With mass adoption it would be much easier to solve all the other technological problems, because citizens and politicians would have an immediate understanding of what you were talking about.
> Again, PKI without a trust relationship with an identity provider can make some protocols more efficient (compare OpenID to BrowserID) but it doesn't bring any new security to the table.

There are many more uses of PKIX once one ties PKIX into the web. Should we call this PKIW?  
The point is to explore and massively grow the use of PKI here. 

Btw, this in itself will massively increase security, as it - with DNSSEC and DANE - will move us to a 100% https web. Think of the huge security holes in the web currently. A few endpoints are https protected. But all the other web pages people click on to reach that web site can be man in the middle attacked and the links in the html be rewritten to point to fake sites. The pages that the Google crawler receives, can also be man in the middle attacked. Allow each resource to be protected just a little bit will in the network effect of the web lead to huge improvements overall.



Social Web Architect