[SSL Observatory] [cryptography] After the dust settles -- what happens next? (v. Long)

Ian G iang at iang.org
Mon Sep 12 02:02:06 PDT 2011 

The problem with "shifts of faith" is that if there is really a groundswell against, we're as likely to miss it. People who leave generally do exactly that, and don't bother talking about it.

That said ..

>>> Some of us observe a third, more likely approach: nothing significant happens due to this event.

This is a good point. The null option exists. And, given the history, it demands serious consideration.

Having taken on the devil's commission as advocate, I'll play it out :)

> Do you have any evidence that improving crypto is being talked about by those affected in Iran? I haven't seen it yet.

I'm not sure I'd want to hear Iranians talking about improving their comsec. Not a good sign. Same for the Chinese ...

> Look what you just wrote. Those [dutch business/government] folks aren't looking for us to fix PKIX: they are looking for different CAs. That's not a "collapse of faith", just a desire for a quick fix.

Now, yes. But, Blind Freddy can see they have zero choice in the matter. The question is, are they willing sheep, or are they future foxy converts to an alternate...

Look at it this way. Last year, risk analysis didn't include the scenario "and your CA just collapsed and all your certs are rejected and all your portals are in chaos."

Next year, they do.


> Could be, but neither you nor I work at Google so that's pure speculation.

Just FTR, entire post was speculation. Because...


> (There are likely some Googlers on this list who can speak authoritatively on whether their management are "scared as hell" or even noticing.)

Googlers are unlikely to do so. Google has a firm rule about not discussing business outside the company.

>> ? I have seen zero in the serious business press (Forbes, BusWeek, etc.)

Serious? Business? Press? Is there any such thing?

It's been a long time since I've seen any general press do more than copy soundbites from their favorite mouthpieces or recycle each others stories.
...

>> The governments and government contractors  ...

On this I agree with Paul. Governments will be the slowest of the slow, the most compliant of the compliant. Even if they wanted to, they won't budge until a private sector solution is unstoppable. And even then, I doubt they'll talk about it openly, for compliance reasons.

> .... Many of the people who you and I *want* to be concerned are not as concerned as you say.

Sure. We tried to get people concerned for over a decade. It didn't work. This ain't gonna change that.

It doesn't work like that. The buying public probably is as equally concerned about famine in Africa or global warming or dolphin sandwiches. In each case, they'll ask, "what can I do about it?"

The answer is, today, nothing.

On the build or sell side, anyone making money doesn't want to change.  I speculate that might change, because for the first time, we have a builder, who has all the interests in-house, who's looking at loosing money.

>> The full damage is not even out yet. This thing is just getting started.
> 
> If there is more significant damage in the future, of course people will talk about it more. But that's just guessing about the future.

The point is more, is this it?  Can we say this was an isolated incident, like the RapidSSL thing? Or the debian thing?

Or, is there more rot under the paintwork?  That's the question that isn't being answered.

Try this thought experiment. Someone important phones you up and asks, "is this it? Do we have all the bad news? Give me faith!"

How to answer?

 Faith is built on certainty. Up until now, even detractors had to admit that PKI was certain to carry on exactly as is; certs, SSL, browsing, etc.


> ... "influential people". ..

As above, if I was influential, I'd keep my mouth shut. If I wanted to shift, I'd know that it's easier to do it quietly.

As it is, I'm not, so I speculate openly :)

Iang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110912/6489f585/attachment.html>

More information about the Observatory mailing list