<br><br><div class="gmail_quote">On Thu, Nov 3, 2011 at 10:29 PM, Jacob Appelbaum <span dir="ltr"><<a href="mailto:jacob@appelbaum.net">jacob@appelbaum.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 11/03/2011 07:16 PM, Phillip Hallam-Baker wrote:<br>
> On Thu, Nov 3, 2011 at 9:35 PM, Jacob Appelbaum <<a href="mailto:jacob@appelbaum.net">jacob@appelbaum.net</a>> wrote:<br>
><br>
>> On 11/03/2011 05:27 PM, Phillip Hallam-Baker wrote:<br>
>>> People who throw stones...<br>
>>><br>
>>> Seems to me that EFF and Moxie have been holding everyone else to a<br>
>> certain<br>
>>> standard these past few months.<br>
>>><br>
>>> I don't think that either would accept 'recognized and acknowledged' as<br>
>> an<br>
>>> excuse.<br>
>>><br>
>>><br>
>>> In the case of Convergence the site does not say a blessed thing about<br>
>> the<br>
>>> proposal. Not a squeak, not a sausage. It is pure marketing glitz with<br>
>>> fancy graphics but no substance.<br>
>>><br>
>><br>
>> If someone is going to accuse an open source project of being a backdoor<br>
>> they could at least link to the offending code.<br>
>><br>
><br>
> If someone is going to claim that there are '650 CAs' then they could at<br>
> least ask why the DFN root has 200 intermediates chained and if they are<br>
> actually CAs as being claimed.<br>
><br>
<br>
</div>This is a pretty conservative number - consider that Dan Kaminsky often<br>
says the number is around ~1600 - what's the correct number?<br></blockquote><div><br></div><div>What makes either of them able to provide an accurate figure?</div><div><br></div><div>In the case of the EFF study the methodology is flawed, they have been advised of the issue, they accept that they cannot tell if an intermediate cert is a public CA or not. Yet they keep making the claim.</div>
<div><br></div><div>The number of WebTrust audits of CAs would probably be the place to start since anything that is acting as a public CA that is not being audited should not be.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Additionally, I believe you are mistaken about such a quote from me. I<br>
did a quick search and found articles that cite the EFF and also quote<br>
me - the EFF citation is not a quote from me - I don't work for the EFF.</blockquote><div><br></div><div>The parent post was attacking the EFF and in particular one of the authors of the claim. </div><div><br></div><div>
<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
> EFF has been mighty economical with the truth of late. I have been pretty<br>
> sick of it to tell the truth. The 650 CAs claim was garbage, they know it<br>
> is garbage but you keep on repeating it to the press as fact.<br>
><br>
<br>
</div>How many CAs exist today that can sign a certificate and then that<br>
certificate will be accepted as valid?</blockquote><div><br></div><div>I can't give a figure right now. But we should be able to get a figure once the minimum criteria for DV issue are applied.</div><div><br></div><div>
It should be somewhere between 30 and 50 entities performing the domain validation part of the criteria after the dust settles. </div><div><br></div><div>Then there is a much larger number of resellers some of which perform some validation steps for OV validation but do not have keys and do not perform the domain name checking.</div>
<div><br></div><div><br></div><div>It wasn't my idea to let all those roots into the browsers in the first place. My idea for minimum standards for SSL cert issue was pretty much EV.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">
> Well now they are having problems being believed and I am afraid that I<br>
> can't actually vouch for their honesty any more.<br>
><br>
<br>
</div>This is a diversion. The person behind this slander says that they're<br>
writing backdoors - it's a pretty different thing from what you're<br>
saying, which is that you disagree with their counting methods.<br>
<br>
One is a matter of methodology and the other integrity. I'm sure someone<br>
from the EFF will chime in here and I welcome that discussion.</blockquote><div><br></div><div>No, they both turn into matters of integrity when a half truth is intentionally used to advance a political agenda. Gilmore has repeatedly used the 650 figure as evidence in his attacks on the CA model. He does not put in the caveats that the authors used in the paper, nor does the EFF in their press releases.</div>
<div><br></div><div>So its kind of a Fox News type approach of introducing a report that makes a misleading claim and then repeat the headline constantly. When challenged go running back to the report and say 'hey look, we did put a caveat'.</div>
<div><br></div><div>Sorry, that is a dishonest way to conduct a debate.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
>> This rumor is a bunch of bullshit and I can't believe it spilled onto<br>
>> this list too.<br>
>><br>
><br>
> The Iranian government runs a Warez site filled with all sorts of software<br>
> that is not legally for sale in Iran.<br>
<br>
</div>Citation please.</blockquote><div><br></div><div>Personal conversation with US intelligence.`</div><div><br></div><div>Feel free to discount the source if you like. But I somehow doubt that they would be wanting to give the Iranian regime ideas. If they were not doing it earlier they are quite definitely aware of the tactic since I talked about it on the VoA and BBC World Service Persian editions.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
> So I would not discount the possibility of there being IRG versions of Tor<br>
> in circulation. In fact it seems rather likely that they have done that<br>
> already.<br>
<br>
</div>What do you base this on? We'd love to see a sample - feel free to send<br>
us some evidence.<br></blockquote><div><br></div><div>Well it should be quite easy to duplicate the work. We know that it is imposible to buy Microsoft Windows legally in Iran. Ergo there must be some alternative distribution system.</div>
<div><br></div><div>Why wouldn't they try to compromise the machines? Seems like an obvious attack for them to do. If the US government tells me that Iran is following a course of action that is obvious to me I tend to believe them unless proven otherwise.</div>
<div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
In any case, I hardly see what any of this has to do with the<br>
allegations from the parent post. It appears to be slander with<br>
absolutely no factual backing.<br></blockquote></div><div><br></div>The connection is that none of us can simply assume that others will believe us when we claim to be acting in good faith. <div><br></div><div>The standard here is not 'prove that I am a liar'. As a CA I have to convince people that they can trust me. And that is the standard that you will have to try to meet if you ever want to replace me. It is not a fair standard at all. But it is the standard that rules.</div>
<div><br></div><div><br></div><div>All these systems are turtles stacked on turtles. It is really easy to design a system that works if you are allowed to insert a single magic turtle that is absolutely trustworthy into the stack.</div>
<div><br></div><div>And is it really easy to collapse someone else's stack by pointing out that their turtle may not be trustworthy after all.</div><div><br></div><div>If you want to go round pointing at other people's magic turtles and point out that they are not so magic then they get to point out your magic turtles.</div>
<div><br></div><div><br></div><div>DANE has a magic turtle called ICANN. In the case of Convergence the description does not even begin to explain what the turtle is let alone why it could be magic.</div><div><div><br></div>
<div>The solution in my view is to move from relying on a single turtle to a system where more than one turtle has to break.</div><div><br></div><div><br></div>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br>
<br>
</div>