[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The state-level attack on the SSL CA security model

Subject: The state-level attack on the SSL CA security model
From: ariel at post.tau.ac.il (Ariel Biener)
Date: Sat, 26 Mar 2011 21:33:55 +0200
In-reply-to: <23088.1301071504@localhost>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <21155.1301069099@localhost> <[email protected]> <23088.1301071504@localhost>

On 25/03/2011 6:45 PM, Valdis.Kletnieks at vt.edu wrote:
> On Fri, 25 Mar 2011 09:19:52 PDT, "Akyol, Bora A" said:
>> One could argue that you could try something like the facebook model (or
>> facebook itself). I can see it coming.
>> Facebook web of trust app ;-)
> Gee thanks.  I'm going to have nightmares for *weeks* now... :)
Based on the Facebook model:

1. Friends - people among whom are some I most probably never knew 
before, or some I
                      would not even say hello to.
2. Trusted friends - people I actually say hello to

I think you'll need "Highly trusted friends" as a 3rd level :)

And that will hold for about 1 month, until people will start banging on 
your
"inner circle" virtual door, and soon enough your list of trusted and 
highly trusted
friends will start filling up.

What does "trusted" mean in this particular case ?  There is no one list 
of criteria for
being "trust worthy", and some people are more trusting that others. How 
would trustworthyness
be measured anyhow ?  How many people signed your thing, who are also 
trustworthy themselves
(which means that their SIG was also signed by trustworthy people, see 
the vicious circle). And would
people from a certain part of the globe or certain countries be more 
trust worthy based on their
country trustworthyness, or maybe on their culture being more open and 
trusting ?

If this is to become some kind of global meaningful thing, it needs to 
be standardized, so it will
have the same meaning regardless of where this is applied, and it will 
have straightforward means
of "measuring" trust. Is there such a standard in place ?

Just for an example, we have in Israel a CA that is recognized by the 
government - they are allowed
to issue certificates used for signing documents - and signing with 
certs issued by this CA
is admissible in court under the electronic signatures law. The 
government has put up a certain
standard for what a CA needs to do in order to be recognized as 
trustworthy. Only one CA in Israel attained
this status. Does that mean they are trustworthy to you ?  I don't think 
so. So it can't be a local thing,
it needs to be a global thing, and the standard needs to be global and 
accepted as well.

--Ariel

References:
- The state-level attack on the SSL CA security model
  - From: millnert at gmail.com (Martin Millnert)
- The state-level attack on the SSL CA security model
  - From: rdobbins at arbor.net (Dobbins, Roland)
- The state-level attack on the SSL CA security model
  - From: joakim at aronius.se (Joakim Aronius)
- The state-level attack on the SSL CA security model
  - From: rdobbins at arbor.net (Dobbins, Roland)
- The state-level attack on the SSL CA security model
  - From: bora at pnl.gov (Akyol, Bora A)
- The state-level attack on the SSL CA security model
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- The state-level attack on the SSL CA security model
  - From: bora at pnl.gov (Akyol, Bora A)
- The state-level attack on the SSL CA security model
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)

Prev by Date: The state-level attack on the SSL CA security model
Next by Date: The growth of municipal broadband networks
Previous by thread: The state-level attack on the SSL CA security model
Next by thread: The state-level attack on the SSL CA security model
Index(es):
- Date
- Thread