Re: [TLS] TLS, PKI,
Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> Wed, 14 July 2010 11:38 UTC
Return-Path: <Bruno.Harbulot@manchester.ac.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351333A6898 for <tls@core3.amsl.com>; Wed, 14 Jul 2010 04:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kbTLogcSvtsT for <tls@core3.amsl.com>; Wed, 14 Jul 2010 04:38:39 -0700 (PDT)
Received: from clarity.mcc.ac.uk (clarity.mcc.ac.uk [130.88.200.144]) by core3.amsl.com (Postfix) with ESMTP id 41BAE3A680E for <tls@ietf.org>; Wed, 14 Jul 2010 04:38:37 -0700 (PDT)
Received: from rankine.its.manchester.ac.uk ([130.88.25.196]) by clarity.mcc.ac.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Bruno.Harbulot@manchester.ac.uk>) id 1OZ0IY-000Cvy-3x for tls@ietf.org; Wed, 14 Jul 2010 12:38:46 +0100
Received: from pulsar.rcs.manchester.ac.uk ([130.88.1.47]:43676 helo=mymachine) by rankine.its.manchester.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Bruno.Harbulot@manchester.ac.uk>) id 1OZ0IY-0000kR-0I for tls@ietf.org; Wed, 14 Jul 2010 12:38:46 +0100
Message-ID: <4C3DA1C5.1030406@manchester.ac.uk>
Date: Wed, 14 Jul 2010 12:38:45 +0100
From: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100528 Lightning/1.0b1 Thunderbird/3.0.5
MIME-Version: 1.0
To: tls@ietf.org
References: <E1OYuFO-0007XU-L1@wintermute02.cs.auckland.ac.nz>
In-Reply-To: <E1OYuFO-0007XU-L1@wintermute02.cs.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: Bruno Harbulot from pulsar.rcs.manchester.ac.uk (mymachine) [130.88.1.47]:43676
X-Authenticated-From: Bruno.Harbulot@manchester.ac.uk
Subject: Re: [TLS] TLS, PKI,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 11:38:40 -0000
On 14/07/10 06:11, Peter Gutmann wrote: > Martin Rex<mrex@sap.com> writes: > >> Being able to easily network a small number of computers and network-attached >> devices at home without involvement of outside third parties is a pretty >> common use case. It is where SSH started and excels in. It is where TLS >> hardly worked from the beginning and where it has become much worse since due >> to the Scare-Consumers-Away-From-This-Technology pages in recent Browsers. > > +1. Agreed, but that's comparing two different things: one is SSH, the other is the combination of TLS and PKIs. I wonder how many people really check the fingerprint of the SSH server key when they connect to a server they haven't connected to before. I've had warnings of key-changes by a server, for which I hadn't been notified of the change by the provider. After asking the technical customer service, it seemed that they weren't aware of the implications of changing the keys (I asked them what the new fingerprint was supposed to be but all I got was a confirmation that the key had changed, not the actual new fingerprint). Maybe services (for which you can't know the key in advance) should be encouraged to publish the fingerprints on their HTTPS website (whose identity will be asserted by PKIs...) I think SSH clients do a bit better than browsers for TLS+PKI in that respect because the client remembers the fingerprint after the first connection, but apart from that, there's little to check the identity of the server. PKIs aim to provide a yes/no binary answer to "can I trust this to be what it says it is?" (or ternary if you consider green/blue bars), only to abstract away the fact it's a matter of probabilities and risk-assessment that will end up somewhere between 0 and 1. I'm not sure how it's possible to go further than that without providing users with better security education (which they don't necessarily want or have time to receive). Best wishes, Bruno.
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- [TLS] Eleven out of every ten SSL certs aren't va… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Adam Langley
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Joshua Davies
- Re: [TLS] Eleven out of every ten SSL certs aren'… Yoav Nir
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nikos Mavrogiannopoulos
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Daskaluk
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… Jeffrey A. Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Frantz
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Florian Weimer
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
- Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Steffen Schulz
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Seth David Schoen
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… =JeffH
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
- [TLS] TLS, PKI, and web security. Was: Eleven out… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Robert Relyea
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Bruno Harbulot
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Robert Relyea
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Bruno Harbulot
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Yoav Nir
- Re: [TLS] TLS, PKI, Yoav Nir
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Bruno Harbulot
- Re: [TLS] TLS, PKI, Robert Relyea
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Steingruebl, Andy
- Re: [TLS] TLS, PKI, Kyle Hamilton
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Bruno Harbulot
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Ralph Holz
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Yoav Nir
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Nasko Oskov
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Kyle Hamilton