[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)
iang at iang.org
Wed Jul 13 17:28:18 EDT 2011
On 14/07/11 4:33 AM, Jeffrey Walton wrote:
> On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald<jamesd at echeque.com> wrote:
>> On 2011-07-13 9:10 PM, Peter Gutmann wrote:
>>> As for Microsoft,
Microsoft have a big interest in bypassing the status quo, and they've
tried several times. But each time it isn't for the benefit of the
users, more for their own benefit, in that they've tried to rebuild the
security infrastructure with themselves in control. (recall .net,
InfoCard, Brands' patents, etc.) Nothing wrong with that, they have to
pay for it somehow.
This has proven ... a harder nut to crack than they envisage. But at
least they are trying, my hat goes off to them!
>>> Opera, etc who knows? (If you work on, or have worked
>>> any of these browsers, I'd like to hear more about why it hasn't been
>>> considered). I think it'll be a combination of two factors:
>>> 1. Everyone knows that passwords are insecure so it's not worth trying to
>>> anything with them.
>>> 2. If you add failsafe mutual authentication via EKE to browsers, CAs
>>> entirely redundant.
>> Indeed, if EKE is implemented in the most straightforward way, any page or
>> data that can only be accessed while logged in, is securely encrypted even
>> if accessed over http.
>> Free browsers are supported by CAs.
Well, not financially, more like the policy side is impacted by the CAs,
which are coordinated in a confidential industry body called CABForum.
This body communicates internally to Mozilla (being a member) and via
private comment by CAs to the CA desk.
Against that are a small and noisy but also uncoordinated group of user
representatives. As we're punching against an organised, paid opponent
that can't be seen, we don't get very far.
They (Mozilla, other vendors and the CAs) are in the process of raising
the standards yet again for CAs, on the back of various claimed breaches
of certs and rising angst against all security problems. Because they
have laid out their architecture, and because it makes money, they
aren't about to change it. But they are bedding it in.
The chances of them approving or agreeing to EKE are next to nil.
>> EKE enabled browsers would only be
>> supported by people needing secure logins, which form a less concentrated
>> interest, therefore an interest less capable of providing public goods.
> I believe Mozilla is [in]directly supported by Google. Mozilla has
> made so much money, they nearly lost their tax exempt status:
> I was also talking with a fellow who told me NSS is owned by Red Hat.
> While NSS is open source, the validated module is proprietary. I don't
> use NSS (and have no need to interop with the library), so I never
> looked into the relationship.
Possibly, I haven't heard that. The problem with Mozilla security
coding is more this: most (all?) of the programmers who work in that
area are all employees of the big software providers. And they all have
a vested interest in working for the status quo, all are opposed to any
(Not because they are bad or good, but because that's what they are paid
(It doesn't help to offer help either; they have their ways of
rejecting any asymmetric help.)
More information about the cryptography