[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Phillip Hallam-Baker
hallam at gmail.com
Thu Nov 3 21:47:27 PDT 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
On Thu, Nov 3, 2011 at 10:29 PM, Jacob Appelbaum <jacob at appelbaum.net>wrote:
> On 11/03/2011 07:16 PM, Phillip Hallam-Baker wrote:
> > On Thu, Nov 3, 2011 at 9:35 PM, Jacob Appelbaum <jacob at appelbaum.net>
> wrote:
> >
> >> On 11/03/2011 05:27 PM, Phillip Hallam-Baker wrote:
> >>> People who throw stones...
> >>>
> >>> Seems to me that EFF and Moxie have been holding everyone else to a
> >> certain
> >>> standard these past few months.
> >>>
> >>> I don't think that either would accept 'recognized and acknowledged' as
> >> an
> >>> excuse.
> >>>
> >>>
> >>> In the case of Convergence the site does not say a blessed thing about
> >> the
> >>> proposal. Not a squeak, not a sausage. It is pure marketing glitz with
> >>> fancy graphics but no substance.
> >>>
> >>
> >> If someone is going to accuse an open source project of being a backdoor
> >> they could at least link to the offending code.
> >>
> >
> > If someone is going to claim that there are '650 CAs' then they could at
> > least ask why the DFN root has 200 intermediates chained and if they are
> > actually CAs as being claimed.
> >
>
> This is a pretty conservative number - consider that Dan Kaminsky often
> says the number is around ~1600 - what's the correct number?
>
What makes either of them able to provide an accurate figure?
In the case of the EFF study the methodology is flawed, they have been
advised of the issue, they accept that they cannot tell if an intermediate
cert is a public CA or not. Yet they keep making the claim.
The number of WebTrust audits of CAs would probably be the place to start
since anything that is acting as a public CA that is not being audited
should not be.
Additionally, I believe you are mistaken about such a quote from me. I
> did a quick search and found articles that cite the EFF and also quote
> me - the EFF citation is not a quote from me - I don't work for the EFF.
The parent post was attacking the EFF and in particular one of the authors
of the claim.
> > EFF has been mighty economical with the truth of late. I have been pretty
> > sick of it to tell the truth. The 650 CAs claim was garbage, they know it
> > is garbage but you keep on repeating it to the press as fact.
> >
>
> How many CAs exist today that can sign a certificate and then that
> certificate will be accepted as valid?
I can't give a figure right now. But we should be able to get a figure once
the minimum criteria for DV issue are applied.
It should be somewhere between 30 and 50 entities performing the domain
validation part of the criteria after the dust settles.
Then there is a much larger number of resellers some of which perform some
validation steps for OV validation but do not have keys and do not perform
the domain name checking.
It wasn't my idea to let all those roots into the browsers in the first
place. My idea for minimum standards for SSL cert issue was pretty much EV.
> > Well now they are having problems being believed and I am afraid that I
> > can't actually vouch for their honesty any more.
> >
>
> This is a diversion. The person behind this slander says that they're
> writing backdoors - it's a pretty different thing from what you're
> saying, which is that you disagree with their counting methods.
>
> One is a matter of methodology and the other integrity. I'm sure someone
> from the EFF will chime in here and I welcome that discussion.
No, they both turn into matters of integrity when a half truth is
intentionally used to advance a political agenda. Gilmore has repeatedly
used the 650 figure as evidence in his attacks on the CA model. He does not
put in the caveats that the authors used in the paper, nor does the EFF in
their press releases.
So its kind of a Fox News type approach of introducing a report that makes
a misleading claim and then repeat the headline constantly. When challenged
go running back to the report and say 'hey look, we did put a caveat'.
Sorry, that is a dishonest way to conduct a debate.
>> This rumor is a bunch of bullshit and I can't believe it spilled onto
> >> this list too.
> >>
> >
> > The Iranian government runs a Warez site filled with all sorts of
> software
> > that is not legally for sale in Iran.
>
> Citation please.
Personal conversation with US intelligence.`
Feel free to discount the source if you like. But I somehow doubt that they
would be wanting to give the Iranian regime ideas. If they were not doing
it earlier they are quite definitely aware of the tactic since I talked
about it on the VoA and BBC World Service Persian editions.
> > So I would not discount the possibility of there being IRG versions of
> Tor
> > in circulation. In fact it seems rather likely that they have done that
> > already.
>
> What do you base this on? We'd love to see a sample - feel free to send
> us some evidence.
>
Well it should be quite easy to duplicate the work. We know that it is
imposible to buy Microsoft Windows legally in Iran. Ergo there must be some
alternative distribution system.
Why wouldn't they try to compromise the machines? Seems like an obvious
attack for them to do. If the US government tells me that Iran is following
a course of action that is obvious to me I tend to believe them unless
proven otherwise.
In any case, I hardly see what any of this has to do with the
> allegations from the parent post. It appears to be slander with
> absolutely no factual backing.
>
The connection is that none of us can simply assume that others will
believe us when we claim to be acting in good faith.
The standard here is not 'prove that I am a liar'. As a CA I have to
convince people that they can trust me. And that is the standard that you
will have to try to meet if you ever want to replace me. It is not a fair
standard at all. But it is the standard that rules.
All these systems are turtles stacked on turtles. It is really easy to
design a system that works if you are allowed to insert a single magic
turtle that is absolutely trustworthy into the stack.
And is it really easy to collapse someone else's stack by pointing out that
their turtle may not be trustworthy after all.
If you want to go round pointing at other people's magic turtles and point
out that they are not so magic then they get to point out your magic
turtles.
DANE has a magic turtle called ICANN. In the case of Convergence the
description does not even begin to explain what the turtle is let alone why
it could be magic.
The solution in my view is to move from relying on a single turtle to a
system where more than one turtle has to break.
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111104/6a9cafd9/attachment.html>
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list